Open Source and the CRA: It will not work in the EU. Read more and learn how you can help!

Call to action for the Linux Foundation Europe open source community

Cyber Resilience Act: it’s time to act to #FixTheCRA!

The European Union’s Cyber Resilience Act (CRA) legislation is making its way through the legislative process, currently being discussed within the European Parliament (Rapporteur is Nicola Danti) and the European Council. It will soon enter the EU trilogue phase, which is the last step before the EU parliament will vote on the CRA in the plenary. The Linux Foundation has provided guidance as to what everyone involved in open source development should know about the CRA, as well as a deeper analysis on whether the Cyber Resilience Act will help the European ICT sector compete. The policy goals of the CRA - reducing vulnerabilities in digital products, ensuring cybersecurity is maintained throughout a product’s life cycle, and enabling users to make informed decisions when selecting and operating them - are widely supported, including by LF Europe. Major concerns remain about how the CRA aims to achieve these goals, especially in the context of the open source ecosystem.

While the Linux Foundation vehemently shares the goal to bolster security of the software supply chain, with the Open Source Security Foundation being the most concrete example of our commitment, there continues to be broad consensus that the way the Act is currently drafted inadvertently risks imposing a major burden on open source contributors and non-profit foundations. If you are not familiar with this, please take a look at the critical responses from many different and diverse open source and industry stakeholders:

Linux Foundation Europe, part of the Linux Foundation, a community which maintains the largest shared technology investment in the world, has been active on multiple fronts to prevent the risk of the CRA stifling open source innovation, a pillar the EU itself has identified as critical to achieving its human-centered technology and social goals.

Our response is articulated in 5 areas:

  • We work alongside other open source organization under the Open Forum Europe (OFE) auspices to support concrete common sense proposed amendments and engage with policy makers to offer guidance and advise on the functioning of the open source ecosystem.
  • We engage with Linux Foundation Europe participants to educate on the potential issues with the legislation and instigate action.
  • We co-signed an open letter together with a broad coalition of open source foundations, calling on the EU for a closer collaboration and consultation with open source communities on CRA and on future legislation.
  • We organize panel discussions and birds-of-a-feather sessions to discuss the issue with the European Community, for example at Kubecon Europe or at the Open Source Summit Europe in September 2023.
  • We are actively working to create venues for cross-foundation collaboration, aimed to provide broad representation of the open source community and an interlocutor for ongoing dialogue with policy makers.


Help us #FixTheCRA!


Today we are calling for the broader community to take immediate action. Whether you are an individual contributor, a corporation contributing to or relying on open source, or a public sector representative, your active participation matters. We encourage you to vocalize your concerns. Below, you can find some sample tweets:

Individual Developers

“The current state of the EU's Cyber Resilience Act (CRA) will have severe and negative consequences for open source communities. Help us #FixTheCRA by making your voice heard: https://linuxfoundation.eu/cyber-resilience-act
@LF_Europe @ep_industry "

Business Contributors

“The European tech sector relies on #opensource software to compete. The EU Cyber Resilience Act threatens to make this harder and more costly.
Make your voice heard: https://linuxfoundation.eu/cyber-resilience-act @EP_Industry, please #fixtheCRA!”

If you want to engage further with this effort, either individually or on behalf of your organisation (e.g. through your public affairs department), please fill out the form below to get in touch with Linux Foundation Europe. You can also join our CRA dedicated Discord channel.

Open source is critical to modern society, in Europe and beyond. Make sure your voice is heard.