EU Entity Update

[Andrew van der Stock]

Hi folks,

The new EU entity is well on its way to being ready for use. Current status is:

• The foundational documents have been signed and accepted by the Belgian government
• We are awaiting approval of the entity by the government, expected timeframe is about three - four weeks
• We have a virtual office address in central Brussels
• We cannot open a bank account until this is done
• We cannot fund the entity until the bank accounts are open
• The protections we are wanting need to be crafted and applied at a future general Board meeting
• Considering that the entity will not be open in time for the June Board meeting, I am planning a general meeting to be after the July Board meeting to approve the Global Foundation, but some of these are specific to activities the Global Foundation does and the new entity will not be doing, so there might be some policies not adopted, and others might need to be modified to allow for the protections we are seeking. 
• There are public and private Google Groups for the EU board, with all members of the EU Board on both, and Dawn included on the public one
• There are public and private Slack channels, with all members of the EU Board on both, and Dawn included on the public one
• I have asked Dawn to ensure that all relevant materials are sent to them, and conflict of interest forms 
• I am investigating if we continue to use Board Source training for the two new Directors, or if we try something different. I'm leaning towards Board source training.

Once the EU entity has been approved and a bank account stood up, we can apply for VAT status in Spain, Austria, and France, where we need them first. 

thanks,

Andrew

[Avi D (BoD & OWASP Israel)]

Thanks for the efforts Andrew! I know this took much work over several months.

 

I do have one question, my impression was that there was consensus among the Board that we needed to have a proper structure in place, with adequate protections and control, before commencing the official creation of the entity. According to my (faulty) memory, the last thing we had agreed upon was that you would get that defined correctly, and bring it back to the Board for an approval vote.

 

Did I misremember, or miss some other discussion with a different outcome? Again once this entity is set up in this way, we the Foundation Board have no control, input, or interest in this entity and cannot vote to change or apply anything.

 

Avi D

--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/3d59a8d7-e234-4f32-a4ea-5aa437313e9an%40owasp.org.

[Andrew van der Stock]

Hi Avi,

Under Belgian corporate law for the iVZW, the protections the Board sought are not possible. They are independent associations with a Board of Directors. If we wanted to pay tax, we could have had a commercial entity that was fully under our control, but that would have precluded us from getting EU grants, and it would mean that we would be paying VAT for all our conferences. The trade off between the goals and control are incompatible. We needed to get the entity created because we need it to do VAT for Spain (and Portugal, France, and Germany too). We will not fund the entity until such time as we have adequate policy / bylaw protections in place. I will work with the new Board to get these into place and passed as soon as possible after the Belgian government has approved the new entity's tax free status. 

thanks,

Andrew

[Andrew van der Stock]

Apologies, I misspoke when I wrote "tax free", which is often the case in the USA, but this is incorrect for the EU. Nonprofit associations in the EU have preferential tax treatment that leads to reduced taxes, not no taxes. Nonprofit associations are not tax-free in any EU nation. 

thanks,

Andrew

To unsubscribe from this group and stop receiving emails from it, send an email to global-board+unsubscribe@owasp.org.

[Louis Griffith]

Hi Andrew,

I too remain concerned because the Board was explicit about the safeguards it believes are essential. Early in your message you note that those protections cannot be accommodated under Belgian law, yet later towards the end you say we will defer funding until “adequate policy / by-law protections” are adopted which is causing some confusion for me.

Could you clarify:

• Which specific protections you intend to propose?
• How they differ from—or satisfy—the protections the Board originally expected?
• The anticipated timeline for drafting and approving these measures once the entity’s tax status is confirmed?

Looking forward to your response.

Ricardo

Sent from my iPhone

On Jun 12, 2025, at 5:50 PM, 'Andrew van der Stock' via Global-board <global...@owasp.org> wrote:



To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CADtrMx4gFB2fqf5P5C%3DrvUvcPw12tvcwBphXT4qdv7_pShWraw%40mail.gmail.com.

[Andrew van der Stock]

Hi Avi and Ricardo

The specific controls from my perspective are governance, strategy, and financial. 

Governance

- We need a Director's Policy to replace the Elections policy that describes the process for selecting, evaluating Director performance, and ensuring that the Global Foundation can dismiss ineffective, inactive, or misaligned EU Directors through a 2/3rd vote of the Global Foundation Board

- We need an Implementation of Bylaw or Policy Changes Policy that ensures that Global Policies are adopted by the European Foundation within three months of their adoption or change, with any changes to be approved by the Global Foundation, including the requirement for a 2/3rd vote for any bylaw or policy changes 

- We need a Signatory Policy that ensures that the Global Executive Director has Power of Attorney and sits on the EU foundation's Board to conduct day-to-day business on behalf of the Global and EU Foundations

Strategy

- We need a bylaws amendment and associated Mission, Governance, and Strategy Alignment Policy that enshrines the Global Foundation's mission, vision, social purpose, and strategy to be the same as the EU Foundation's at all times. The bylaws already state this, as I created it like that, but we need a policy mechanism to keep them in lock step. 

Financial

- We need an Finance and Audit Policy that ensures that the same external auditor is used for both Global and EU Foundations, to ensure that financial controls are in place, in use, and effective.

Lastly, it is my goal that the EU Foundation will adopt as many of the Global Policies as are relevant:

• Awards and Scholarships Policy
• Board of Directors Code of Conduct
• Board, Volunteer, and Participant Travel Policy
• Code of Conduct
• Conference & Event Attendee
• Conflict Resolution
• Conflict of Interest Policy
• Events Policy
• Events Submission Timeline Change
• Expense Policy
• Force Majeure and Sanctions Policy
• General Disclaimer
• Global AppSec Program Teams
• Grant Policy
• Implementation of Bylaw or Policy Changes (amended as above)
• Privacy Policy
• Signatory (amended as above)
• Social Media
• Whistleblower & Anti-Retaliation Policy

Some of these will need to be changed to reflect local laws and regulations, such as Privacy Policy will require review by a Belgian lawyer competent in GDPR. 

The following policies are not needed as I don't intend to do them in the EU, but do them instead globally:

• Branding Guidelines 
• Chapters Policy
• Committees Policy
• Community Review Process
• Donations Policy
• Elections Policy (this will need to be replaced by a Director's policy, as we can't easily tell who is an EU member for the purposes of an election). 
• Mailing Lists
• Membership Policy
• OWASP Word Mark Usage Guidelines
• Project Policy
• Working Groups Policy

How they differ? 

Unfortunately, there is no way to get the original idea of a wholly owned and controlled entity that is a nonprofit social purpose association, so we need to instead manage the issue with appropriate bylaw and policy changes, which would have been necessary anyway, even if it was the original way that we wanted. Just as the Global Board can change its own bylaws and policies with a 2/3rd vote at any time, and could undo anything at any time, including dissolving the EU Foundation, the EU Foundation can do so too. With the above bylaw changes and policies, we should be able to align the two Foundations strategically, financially, and with sufficient oversight to ensure effective control over the organization. 

Timeline

I expect the Belgian government to approve the EU Foundation within 3-4 weeks. I want to have the key policies that must be implemented (the ones in bold) ready for a Global Board review and EU Foundation vote by the time this happens. Once that's done, I will schedule an EU Board meeting to approve at the very least the primary (bold) policies and any other required global policies. Once that's done, I will work with Maxim and Aram to open a bank account for the new Foundation. After that, I will ask the original EU entity Directors to nominate a date to come to Belgium to get the funds out of ING and transfer them to the new entity. All three of the old entity's directors must appear in person to withdraw the funds and properly close the account. I hope that this can all be done by the European summer holidays. The great unknown right now is when the EU Foundation will be approved, and then the only other thing that is out of my control is when the original entity's Directors can come to Belgium to transfer the funds to the new entity.

Thanks,

Andrew

To unsubscribe from this group and stop receiving emails from it, send an email to global-board+unsubscribe@owasp.org.

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/global-board/3d59a8d7-e234-4f32-a4ea-5aa437313e9an%40owasp.org.

--
You received this message because you are subscribed to the Google Groups "Global-board" group.

To unsubscribe from this group and stop receiving emails from it, send an email to global-board+unsubscribe@owasp.org.