Daniel Thompson-Yvetot, a man who has been building software since 1985, finds himself at a fascinating crossroads. The co-creator of the open-source toolkit Tauri and CEO of Crabnebula is now diving headfirst into the world of regulatory compliance. His reason is simple: Europe is rewriting the rules of the digital game, and he believes Malta is perfectly positioned to become a central player.

“I am one of maybe 100 people in Europe that knows the Cyber Resilience Act in very deep detail,” Mr Thompson-Yvetot said during an interview at the inaugural Comply.Land conference, which he co-founded. “And I'm building several businesses around that new reality.”

This new reality is seismic. The European Union’s Cyber Resilience Act (CRA) fundamentally reclassifies software from a service to a product, complete with liabilities and certification requirements. 

“Europe has decided that now software is a product,” he explained. “A product that carries liabilities, you have to certify it or get it certified, you have to declare its conformity, and every mobile app is going to have to comply with this. Every single one.”

This shift, while daunting for many, is what Mr Thompson-Yvetot calls a “Cambrian opportunity” – an explosion of new needs and services. “From insurance, to legal, to corporate service, to authorised representation, to general consultation,” he listed. The scope is vast.

From code to compliance: The personal journey

For Mr Thompson-Yvetot, this pivot is a fusion of personal passion and professional inevitability. His work in the open source community brought him to a deeper understanding of European regulations, which led him to write a book, Manufacturing European Software, and ultimately, to launch the Comply.Land conference in Malta. This then brought him to work writing cybersecurity standards for the European Commission via the European Telecommunication Standardization Institute (ETSI). 

But what drives a lifelong technologist to embrace a field often perceived as dry? Mr Thompson-Yvetot likens it to a complex, rewarding puzzle. “What is the fun of it? You know, a jigsaw puzzle? Like, solving a jigsaw puzzle. Finding those pieces that fit together,” he said. 

“We now know, more or less, what the shape of the Cyber Resilience Act is going to be. But there's a lot of details. And I get to be one of those people that helps carve out the final shape of a couple of those puzzle pieces. And I find that exciting.”

This excitement is rooted in a deeper desire to “make things good.” For him, good software has always meant something “cyber secure, easy to use, performant, that is efficient.” Now, ‘good’ must also include ‘compliant.’ He sees this as an ultimate opportunity: “The opportunity to make our world a better place through safer software? Come on! That's pretty amazing when you put it that way.”

Why Malta?

The choice to base this new venture in Malta was both strategic and personal. After an abortive attempt to move to Ireland – thwarted by a border control officer who granted him only a 10-day visa despite his French residency – Mr Thompson-Yvetot found himself on a direct flight to Malta.

As a photographer, Malta has something particular to offer. “I fell in love with the light. September lightning in Valetta,” he recalls. But beyond the aesthetic appeal, Malta’s practical advantages were clear. As an EU member state with English as an official language, it offered the ideal blend of accessibility and opportunity. “When you need to find an English-speaking business partner… it's either Ireland or Malta. Ireland, the taxes are higher, the benefits are not as nice, and the climate is just dreary.”

More importantly, Mr Thompson-Yvetot sees an untapped potential for Malta on the European stage. “When I see expert groups being formed, there should be a representative from every European country. Is there always one from Malta? No.” He aims to change that, wanting to “shape the economy of this country with a line of business that didn't exist before.”

The stakes for businesses

The implications of the CRA, paired with the Product Liability Directive, are profound. Mr Thompson-Yvetot laid out a stark scenario for small startups. “If you're a consumer and you're damaged by a product with digital elements, you have the right to sue the manufacturer… If your pictures get deleted by the software because the software is defective, you can claim damages.”

This creates immense risk for small players. “Suddenly, you're these two friends in the basement and you just graduated from college, and you got this great idea… and then you're liable to every consumer and you weren't aware of it?”

The solution a new company he is helping create, Minimum Viable Compliance (MVC), which offers a “multi-layered defense in depth.” This involves providing companies with tools and training to go from design to long-term maintenance, as the CRA mandates providing cybersecurity updates for five years. “This changes the nature of product,” he noted. “Now you must retain [engineers] because you have to apply security updates for five years.”

A conference for connection

The Comply.Land conference itself was born from a need to bridge a critical communication gap. Jürgen Kreut, the other co-founder of the conference, explained the impetus: “There are so many compliance standards… All the companies are overwhelmed. What's going on there? Nobody has a clue what we should do or how it is.”

Mr Kreutz criticised some regulations as being created by people in a “tower in Brussels,” risking becoming “paper tigers – heavy on documentation but light on practical, pragmatic security.” 

The conference aimed to bring all stakeholders – regulators, lawyers, consultants, and software developers – into one room. “We are bringing the regulators who write the rules into the same room as the engineers who have to implement them,” Mr Kreutz said. “That honest dialogue is what has been missing.”

Building a compliant future, the right way

Despite the serious stakes, Mr Thompson-Yvetot’s approach is infused with a philosophy of fairness and quality, honed through his work at Crabnebula. He proudly runs a company with a four-day work week, transparent equal pay, and a focus on nurturing young talent. “I pay people well. I give them good conditions. I'm a great boss. That's what they tell me. People don't quit. That's, I think, the best signifier.”

It is this blend of technical expertise, artistic passion for “carving” solutions, and a commitment to ethical business that Daniel Thompson-Yvetot brings to the daunting world of compliance. For him, it’s not about stifling innovation with red tape, but about building a safer, more trustworthy digital future – and placing Malta firmly at the center of that new European landscape. As he succinctly put it, “It’s an opportunity that, I don't know, maybe because of my history, it's something that I'm really good at.”