In response to the European Parliament’s recent adoption of the Cyber Resilience Act (CRA), seven prominent open-source foundations are joining forces to develop common specifications and standards. The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation aim to leverage their collective expertise to ensure compliance with the new legislation, which will take effect in 2027.
The CRA seeks to enforce cybersecurity best practices for both hardware and software products sold within the European Union. It mandates that manufacturers of internet-connected devices stay abreast of the latest security updates and patches or face penalties of up to €15 million or 2.5% of global turnover.
Initially introduced nearly two years ago, the CRA faced criticism, particularly from open-source industry bodies concerned about its potential impact on software development. There were fears that upstream open-source developers could be held liable for security flaws in downstream products, discouraging volunteer contributions. However, revisions to the legislation addressed these concerns by clarifying exemptions for non-commercial developers and recognizing the role of open-source stewards, such as not-for-profit foundations.
While the legislation has been approved, it won’t be enforceable until 2027, allowing stakeholders time to prepare and refine their compliance strategies. The seven open-source foundations are collaborating to meet the CRA requirements effectively.
One of the key challenges is ensuring comprehensive documentation within open-source projects, which often lack standardized practices. By uniting efforts, these foundations aim to establish consistent standards and processes across the open-source ecosystem. This collaborative approach will not only benefit compliance with the CRA but also address broader cybersecurity concerns in the software industry.
Led by the Eclipse Foundation, the initiative underscores the importance of aligning cybersecurity processes and standards across the open-source community. As regulatory scrutiny increases globally, the collaboration seeks to strengthen the resilience of the software supply chain and promote cybersecurity best practices.
