By Mike Bursell, Co-chair, OpenSSF Cyber Policy WG
Note: This guide is not intended to provide legal advice and we encourage you to seek advice from your legal counsel if you should run into any issues or have any questions. Such a determination likely requires consulting with a legal counsel or your employer’s legal team.
Introduction
The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EEA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available on the European market and the intention behind it is to improve the cybersecurity of products available to consumers and businesses across Europe.
This article looks at the CRA and whether it is likely to affect your business or product and is a companion to the article “What do I need to do for the EU CRA?” The details of implementation of the CRA are still being worked out and although most of the measures aren’t due to come into force until November 2026, the impact of the Act is going to be wide-ranging. For many organisations and businesses, there will be important changes to processes around how they create, document, sell, upgrade and support products, all of which require planning and implementation well in advance of full implementation of the Act. While this article should not be considered as providing legal advice, it will give you basic information to allow you to decide next steps.
Some commentators have seen the CRA as imposing a new burden of cybersecurity awareness on organisations. However, the view of many cybersecurity professionals, and that of the Linux Foundation and the OpenSSF, is that it actually presents an opportunity to normalise cybersecurity as a part of all organisations and to raise the visibility of security practices throughout the supply chain and lifecycle of all products. This provides a chance for industry to get to grips with a subject that has long been neglected and to work to provide standards, tools and techniques that will benefit the entire ecosystem, similar to the changes that have been put in place around privacy to satisfy the requirements around GDPR. Â
The first thing to work out is whether you are likely to be affected.
Do you produce a PDE?
The CRA applies to what are defined as Products with Digital Elements (PDEs). A PDE is defined as “a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.” This definition covers a wide range of products and services and it’s important to note that if your product requires access to an online service (for example, a back-end API) in order to function, that’s likely to be covered as well, whether it’s hosted in the EU or not. A stand-alone website is unlikely to fall within the CRA and there are some specific sectors (such as telecommunications, healthcare and automotive) which, while subject to the CRA already have conformity requirements applied to them. If you produce a PDE, you are likely to be what the CRA calls a “Manufacturer”, which imposes specific requirements on you and how you bring your PDEs to the EU marketplace. Examples might include: an Internet connected dishwasher, business software that users or administrators install on their PCs; a packaged mobile app that provides an AI chat assistant; a fitness tracking watch.
Do you do business in Europe?
If your product is sold or “offered” in the EU, or you make a profit from it in some way, then this means that it is likely to be subject to the CRA. The good news, however, is that the CRA is designed to be consistent across the EU, so if you have achieved compliance in one part of the EU, that covers all other member countries as well. It’s worth noting that “small and medium-sized enterprises” (SMEs) are subject to slightly reduced requirements under the CRA. Proof of Concept and Beta products are generally exempt from the CRA.
Open Source
One of the important features of the CRA is its awareness of open source and the ecosystem around it. It introduces the term (and role) “Steward”, used to refer to entities such as open source software foundations that don’t sell PDEs, but do manage, support, publish and host open source projects. The CRA imposes fewer and less onerous requirements on Stewards than on Manufacturers, though they do have responsibilities for working with maintainers and contributors of open source on the one hand and manufacturers on the other. The CRA is also aware of the role of maintainers and contributors. They are not affected directly by the CRA, particularly if the project on which they are working is supported by a Steward, though if they make a profit from services around the project, they may count as a Manufacturer. It is also possible for an organisation to be both a Manufacturer and a Steward: if the organisation both sells a PDE that uses an open source project and also hosts it, supports it and provides updates and patches for the community, for instance, then that would put it in both categories. And it’s important to note that open source projects do not necessarily need to have a Steward at all.
Finding out more
The Linux Foundation Europe and OpenSSF invite the broader open source community to participate in this initiative. To get involved:
- Visit the WG Repository: Global Cyber Policy WG GitHub
- Join Our Slack Channel: #wg-globalcyberpolicy on Slack
- Subscribe to Mailing Lists: