LF Energy Summit Europe 2026

In the world of open-source governance, we are currently facing ‘waves the size of Nazaré’ in the form of regulatory changes, while the intensity of attacks on organizations’ digital services and supply chains continues to increase. It remains a mystery why many organizations respond by hiding behind ever-higher ‘walls of paperwork’ and creating cumbersome bureaucratic processes. We suggest a different path: to surf these waves and treat them as opportunities for progress.

This session presents a lean, developer-centric approach to governance. Instead of relying on isolated GRC tools (or spreadsheets), we treat compliance as if it were a collaboration between developers. We collect applicable and auditable requirements from open standards and transform them into human-readable data records using OSCAL (Open Security Controls Assessment Language) ... and store them in GIT. We combine classic automation with AI agents to get compliance tasks done. In this session, we will show you real-world cases along the journey through a continuous improvement iteration (PDCA cycle) and demonstrate what can be achieved with such a workbench.

As power grids transition to highly integrated cyber-physical systems, the complexity of control architectures poses a major challenge for resilience and scalability. This session introduces CyberGridML, a modeling language based on MBSE (Model-Based System Engineering) and the OMG SysML v2 standard, designed to evaluate the impact of digital architecture on operational performance.
We will demonstrate how to model a modular SCADA system across three architectural layers: functional control, digital resources and hazard modeling (computing failures, network failures, network latency, etc.). Through a concrete case study, we show how the CyberGridML methodology enables a rigorous assessment of trade-offs between resilience, operational efficiency and cost, and how these models can be leveraged within digital twin environments such as TwinEU control-room twin to support realistic experimentation and training.

While the world depends on the unimpaired generation and transmission of electrical power, the systems controlling the critical services stay – from a security point of view – often in the shadows. Many assumptions of the past – especially in times of fast redispatch – need to be challenged, and the communication systems have to be monitored more closely. You will learn from real world cases and successful attacks the necessity of looking deeper into the communication of every system to system of systems, from substations up to the control room. The German Federal Office for Information Security (BSI) is supporting the usage of the Open-source Framework Malcolm in several ways, and this talk will show you the benefits by adopting it.

The Cyber Resilience Act (CRA) and NIS2 directive impose stringent cybersecurity obligations on industrial deployments, leaving organizations to navigate complex requirements around vulnerability management and supply chain transparency. For LF Energy projects, the challenge is to actively facilitate compliance for downstream users.

Building directly upon the foundations presented at the LF Energy Summit 2025 regarding SBOMs and vulnerabilities in SEAPATH, this session demonstrates how the project proactively addresses European regulations to alleviate the compliance burden on industrial users.

We will detail the implementation of robust security practices: restricted reporting channels, clear security governance guidelines, and automated SBOM generation. Furthermore, we will highlight the integration of VulnScout an open-source vulnerability analysis tool within SEAPATH’s CI pipeline for real-time tracking. Attendees will gain a clear blueprint of how open-source projects can deliver pre-packaged compliance artifacts.

The European energy grid's modernization embeds physical and digital "kill switches" within smart assets and their software supply chains.
True digital sovereignty cannot be purchased as a proprietary product; it is an ongoing operational discipline. In this session we will dissect how the principles of open source, open standards, and reproducible builds directly mitigate the risk of both physical and logical kill switches. We will move beyond the theoretical to explore the concrete architectural patterns required to build a "Sovereign Stack" for energy systems, providing real examples. Specifically, we will demonstrate how to enforce:
Supply Chain Attestation: Generating and validating cryptographically signed Software Bills of Materials (SBOMs) from source to production edge.
Immutable and Reproducible Edge Environments: Ensuring that operating systems and container platforms deployed on grid edge nodes can be fully audited, rebuilt from source, and run completely air-gapped.
Decoupled Control Planes: Architectural designs that separate software delivery from operational runtime, ensuring that a vendor cannot unilaterally "kill the switch" on a running grid system.