EU Cyber Resilience Act: The Linux Foundation Enables Open Source Software Stewardship for the CRA

The negotiations of the EU Cyber Resilience Act (CRA) have concluded. Once approved in a final vote by the EU Parliament, the transition period in which the CRA comes into effect will probably begin in mid 2024. Linux Foundation Europe strongly supports the policy goals of the CRA: reducing vulnerabilities in digital products, ensuring cybersecurity is maintained throughout a product’s life cycle, and enabling users to make informed decisions when selecting and operating them. As the open source ecosystem adjusts to the new legal framework, Linux Foundation Europe will provide guidance to our projects and foundations, to our members, and to the wider community in CRA compliance.

The CRA introduces the role of open source software stewards for organizations that provide sustained support for the development of free and open source software products. Stewards are the counterparts to manufacturers who ship products to market, and play an essential role in enabling manufacturers to deliver their products. Since cybersecurity is everybody’s responsibility, as the CRA is being finalized, the Linux Foundation will proactively step into the role of open source software steward as called for by the legislation. We will develop the necessary guidance, training, processes, policies and tools to help our foundations, projects, and the wider open source ecosystem to improve cyber security.

The CRA negotiations have been difficult. In the beginning of 2023, it looked like the law could make upstream communities responsible for downstream vulnerabilities. During this period, Linux Foundation Europe engaged together with a broad coalition of open source supporters in providing feedback and suggestions to the EU lawmakers. We are grateful to them for having taken our input seriously and considered it as the new law was finalized. We are pleased that with this cooperative approach, the CRA transitioned from a potential threat to an opportunity for the open source ecosystem. Thanks to everybody who supported us in this process! The Linux Foundation will continue to provide stakeholder feedback and suggestions to EU regulatory initiatives and to offer cooperation and advice. #thanksforfixingtheCRA

We encourage open source stakeholders to engage with us as the CRA goes into effect. Whether you have a project that needs to understand the new role, run an open source project that needs an effective steward or a manufacturer who needs training and advice, working together will make it easier.

Please register below to stay up to date as Linux Foundation Europe rolls out CRA-specific open source software stewardship programs!