8 min read
We’ve just wrapped up London’s 2025 Open Source Finance Forum (OSFF) in London and in this blog I’ll try to capture the key highlights from this year’s event while they’re still fresh. Dominant themes were the increasing prominence of legislation and governance frameworks, and what these mean for developers and practitioners.
From insightful keynotes on stage to animated conversations over lunch, all around the event there appeared to be widespread agreement that it’s time to get serious about governance, compliance, and security. The general consensus seems to be that ad hoc approaches and different rule books in every organization are no longer workable in the age of AI copilots and vibe coding.
The big question in front of the industry - how to standardize and scale strong governance without impeding delivery? Here’s our take on the key themes from the event.
Session Deep Dives
DORA: Balancing Compliance With Innovation (Monica Sasso, Red Hat)
Turning Regulatory and Compliance Requirements into Opportunities
Monica Sasso presented DORA as a strategic advantage and opportunity for financial organisations instead of the compliance burden that many might see. She took us through what successful implementation of DORA looks like and she was clear about the challenges that remain on the journey to supply chain security and visibility for financial organisations, especially the smaller firms.
A successful DORA implementation depends on “open hybrid cloud platforms, enabling interoperability, scalability, and AI-driven innovation”. Rather than a regulatory checkbox, DORA should be seen as an industry-wide resilience strategy, securing financial services for the future.
Open Source in Finance: Maintaining the New Strategic Stack (James McLeod, NatWest Group)
From Individual Tools to Strategic Infrastructure
James McLeod from NatWest highlighted the increased adoption of Open Source tools in financial organisations and pointed out that Open Source software is no longer optional, but already part of their infrastructure.
He called and invited all financial organisations to collaborate and contribute to FINOS projects like the Common Cloud Controls, as the adoption of Oper Source comes with responsibility.
Trust but Verify: Fixing Broken Licensing Compliance in SBOMs (Abdullah Garcia, J.P. Morgan)
Moving Beyond Software Bill of Materials Theater
Abdullah’s presentation cut straight to a critical gap in how most organizations approach software supply chain security. His central thesis—that “an SBOM without integrity verification is meaningless”—challenged the industry’s tendency to treat SBOMs as compliance checkboxes rather than security tools.
The practical focus on cryptographic hashes and identity assertions provided concrete steps for organizations to move from inventory management to actual supply chain security.
Open Source Maturity - OSS Value Creation Through Regulatory Compliance (Marcel Scholze & Katharina Grauf, PwC GmbH Germany)
Quantifying Open Source Value Through a Compliance Lens
PwC’s Marcel Scholze & Katharina Grauf opened up their talk with the stark reality that over 80% of codebases contain vulnerabilities in their open source dependencies. They introduced the Open Source Maturity Model framework which was particularly valuable as it directly aligns Open Source Program Office (OSPO) activities with regulatory requirements like DORA and the EU Cyber Resilience Act.
What This Means for Financial Services in 2025 and Beyond
After absorbing insights from industry leaders across major banks and innovative tech companies, we can see several clear patterns emerging that will define how financial organisations will approach technology in the coming years.
Compliance Infrastructure Is The New Competitive Battleground
The organizations that will dominate aren’t those avoiding regulatory complexity, but the ones leveraging frameworks like DORA and the EU Cyber Resilience Act as modernization roadmaps. Monica Sasso’s point about DORA being an “industry-wide resilience strategy” rather than a checkbox exercise captures where the industry is heading. Smart financial institutions are discovering that building compliance into their core infrastructure creates competitive advantages through faster, more secure delivery.
Supply Chain Security Is Moving From Inventory to Integrity
Abdullah Garcia’s insight that “an SBOM without integrity verification is meaningless” represents more than a technical observation—it’s a strategic imperative. With AI-assisted development creating new blind spots through internal forks and modified code, financial institutions need real-time verification capabilities embedded in their development workflows. The winners will be those who can prove the integrity of every component, not just catalog what they’re using.
AI Governance Will Define Innovation Boundaries
The AI governance conversations revealed an industry grappling with how to harness transformational technology while maintaining risk management standards. As Daniel Forsgren highlighted, AI-accelerated development practices introduce hidden risks that traditional security processes weren’t designed to handle. The EU AI Act and FINOS’s governance frameworks are creating new obligations, but also providing structure for responsible innovation at scale.
Open Source Strategy Requires Community Investment, Not Just Consumption
James McLeod’s call for financial institutions to contribute to FINOS projects reflects a shift in how the industry approaches open source. The interconnected nature of projects like Common Cloud Controls means strategic advantage comes from participating in and shaping these collaborative efforts, not just implementing them. Organizations treating open source as a purely cost-saving exercise are missing the strategic value of community-driven innovation.
Tl;dr Looking ahead, the financial institutions that will thrive are those treating governance, compliance, and security as enablers of innovation rather than barriers to it. When you can verify supply chain integrity in real-time, automate compliance workflows, and govern AI systems transparently, you’re not only reducing risk, but also building the operational foundation for sustainable competitive advantage in an increasingly complex regulatory environment.
Kosli’s takeaways on the Big Themes at OSFF
Software Compliance and Governance Are Now Strategic Infrastructure
Financial institutions are recognizing what forward-thinking engineers have known for years: regulatory frameworks like DORA and the EU Cyber Resilience Act aren’t compliance burdens, but strategic infrastructure investments.
These frameworks require comprehensive supply chain visibility, automated policy enforcement, and continuous monitoring - the exact capabilities modern financial services need to compete effectively.
The business case is becoming undeniable. With over 80% of codebases containing vulnerabilities in their open source dependencies, and most SBOMs lacking proper integrity verification, compliance has evolved from a checkbox exercise into foundational infrastructure for secure, auditable operations. Organizations can’t afford to treat this as an afterthought.
What’s revealing is how organizations approaching compliance as infrastructure are outperforming those treating it as overhead. By embedding compliance into their CI/CD pipelines and treating governance as code, they’re building competitive advantages through faster, more secure delivery while meeting their regulatory requirements.
The hidden costs of cloud compliance remain real, but smart organizations are architecting systems where compliance capabilities directly enhance operational efficiency rather than competing with it.
AI Governance and Compliance: From Hype to Regulated Reality
Unsurprisingly, AI conversations were also prevalent at OSFF, with more and more financial organisations implementing AI in their workflows.
Daniel Forsgren, Chief Technology Officer at FossID, raised an interesting topic when talking about The Rise of Internal Forks. While AI-development practices increase the speed of digital transformation in financial organisations, they also introduce hidden risks.
In his words, the rise of AI-development “is increasing the prevalence of internal forks, where modified external code becomes unmanaged and invisible to traditional security and compliance processes. In a highly regulated industry like financial services, these forks pose significant challenges, including security vulnerabilities, compliance gaps, and technical debt that can impact operational resilience.”
However, the regulatory landscape is creating new compliance obligations that extend far beyond traditional software governance. The EU Artificial Intelligence Act is reshaping how financial institutions must approach AI development and FINOS’s AI Governance Framework provides industry standards for responsible AI adoption.
The challenge is not technical capability but organizational readiness—financial institutions must implement systematic AI governance processes that track system behavior, environmental impact, and regulatory compliance simultaneously.
Software Supply Chain Security: From Visibility to Verification
Lastly, the supply chain security discussions at OSFF highlighted a critical evolution in how financial institutions are approaching third-party code risk.
What’s become clear is that traditional approaches to software composition analysis (SCA) are insufficient for the complexity of modern development practices. J.P. Morgan’s Abdullah Garcia delivered perhaps the most practical insight of the conference where he stated that “an SBOM without integrity verification is meaningless”.
The core issue isn’t just knowing what components you’re using, but verifying that those components are actually what they claim to be through cryptographic hashes and identity assertions. This shift from inventory management to integrity verification represents a fundamental change in how financial institutions must approach supply chain governance. Effective supply chain security demands cryptographic verification of component integrity, real-time monitoring of software changes, and automated policy enforcement across development workflows.
Meanwhile, the multi-cloud reality means that supply chain controls must work consistently across different cloud providers and deployment models. The FINOS Common Cloud Controls project is addressing this by creating reusable, technology-agnostic security controls that can be automated and validated across cloud environments.
The message from OSFF 2025 was clear: the future belongs to organizations that embed governance into their engineering DNA rather than bolting it on as an afterthought.
At Kosli, we will continue to contribute to the Common Cloud Controls project and help financial organisations automate their software governance and compliance processes.
See you at OSFF in New York in October 2025! 🇺🇸
Want to dive deeper into automated governance for financial services? The challenges discussed at OSFF 2025 are exactly what we’re solving at Kosli. Check out our latest insights on compliance automation or contact us to explore how other financial institutions are turning compliance from a bottleneck into a competitive advantage.
