Last week the Linux Foundation Europe and OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the Linux Foundation, other upstream open source foundations, community experts, and government officials came together to get a common understanding of the obligations of both Manufacturers and Stewards, and how each group needs to collaborate together as the legislation starts to go into effect over the next three years.
CRA Stewards and Manufacturers Workshop Recap
The meeting’s participants delved into assorted topics helping set the scene for a series of workshops on specific aspects of helping to garner participation in the necessary collaboration between these Manufacturers that are selling digital goods upon the European Market, the Stewards (foundations) that can help support them, and European regulators and parliamentarians. Audience members got insights to how several upstream projects like the Linux kernel and Kubernetes have adjusted their security practices over the last few years to better adapt to the changing global regulatory standpoint. Participants were given an overview of the numerous existing and in-flight efforts from governments around the world to better understand and protect their citizen from digital attacks, and were informed about projects within the Linux Foundation, such as the many efforts of LF Research to help quantify many of the security challenges facing maintainers and consumers or the OpenSSF’s portfolio of open source security tools, practices, and templates, or the suite of capabilities within the LF’s portfolio to support our projects.
The workshops focused on specific areas within the Manufacturers and Stewards’ domains that the attendees felt were most important to work together on. These areas included:Â
- Readiness & Awareness for all parties involved within the legislation and how can collateral be assembled and disseminated to those that need itÂ
- Tooling, Process, & Formats for data and systems that could be leveraged to help the parties work towards compliance
- Community Specifications to International Standards discussed how to get engaged with the standardization harmonization efforts that are ongoing within the Union and talked through several possible ways our community can help identify good practices that could be used in implementing compliance to the law.
The event was so successful that the OpenSSF’s Technical Advisory Council voted to approve the creation of a new working group (the Global Cyber Policy Working Group) and three workstreams to continue the conversations and collaboration on these important areas. This group will begin forming and should be conducting public meetings early in the new calendar year.
Ways to Participate
Global Cyber Policy Working Group (WG):
- Git repo – https://github.com/ossf/wg-globalcyberpolicy/Â
- Mailing List – https://lists.openssf.org/g/openssf-wg-globalcyberpolicyÂ
- Slack Channel –https://openssf.slack.com/archives/C084A6XPX0FÂ
The Global Cyber Policy Working Group will house the three workshop streams we all collaborated on together December 11-12. These will be Special Interest Groups (SIGs) underneath the larger Working Group:
- CRA Readiness+Awareness – SIG mailing list
- CRA Tooling+Process+Formats – SIG mailing listÂ
- CRA Spec Standardization – SIG mailing list
Recurring SIGmeeting times are being determined to facilitate charter approval and select chairs and co-chairs for the Working Group and SIGs. Community members are encouraged to join our efforts going forward by joining the mailing lists, the Slack channel, and attending SIG meetings If you are interested in helping us lead these efforts, please let us know. From there, the Working Group and SIGs will be able to define and determine how they’ll conduct themselves and manage their work together.
The Working Group and all the materials that it and the sub-teams will be working on together is public and open to LF members, interested community members, and other Foundation members. In classic open source practices, “patches are welcome!” We assembled an amazing group for the workshop, but now we need all of you to share with your organizations, your members and stakeholders so that we collectively can help our maintainers, our manufacturers, and our stewards./foundations all meet our upcoming obligations with the EU Market. Open Source is truly a team sport, and we’re better and stronger together.
To learn more about what was talked about at the workshops, we’ve shared the meeting notes. Anyone interested in joining us, please consider signing up for any of the mailing lists and joining our community Slack to continue the conversation!