2026-03-17 –, Room Auditorium
500,000 SBOMs – that’s the scale of Deutsche Bahn’s software supply chain. How do we make sense of this as a small OSPO in a large non-IT organization? Our strategy: turn this data into actionable tasks. We’ll share practical learnings on prioritizing risks, applying sensible automated compliance, and considering ecosystem sustainability.
The more insight we gain into our software supply chains, the more we face the challenge of acting on it. OSPOs must turn vast data into focused, meaningful decisions. This talk shares a risk-based framework we apply at Deutsche Bahn, designed to be broadly adoptable. It helps prioritize what truly matters: balancing compliance, governance, and sustainability.
We’ll discuss how we:
- manage regulatory obligations like CRA and NIS2 without overburdening teams
- set internal rules and automation that keep compliance practical
- identify real risks instead of chasing theoretical ones
- facilitate open source culture across the organization to understand and participate in communities
- include ecosystem health in our decisions
As a small virtual OSPO in a large non-IT company, we focus on pragmatic, incremental steps rather than perfect coverage. The session offers hands-on insights for anyone trying to make sense of large-scale SBOM data and turn transparency into responsible action.
Max Mehl has been dedicated to Open Source for many years, in various roles and contributing from different perspectives. He deals with all aspects of Open Source at Deutsche Bahn, Europe’s largest railway operator and infrastructure owner. In this role, he supports in both using and contributing to Open Source in a professional manner. Previously, he worked for the Free Software Foundation Europe (FSFE), where he coordinated initiatives such as “Public Money? Public Code!” and REUSE.
Cornelius Schumacher is a long-time contributor and leader in the open source community. He has worked on a variety of projects, from volunteer-driven to enterprise. Originally a developer, he has moved into topics of governance, open source compliance, and how to run open source projects well. Cornelius Schumacher works as Open Source Steward in the CTO team of DB Systel helping teams to successfully use and contribute to open source at Deutsche Bahn.