By David A. Wheeler
Software is about to be regulated worldwide. Are you ready?
Specialized software, such as software in medical devices, has been regulated for years. But laws on specialized software affected very few developers. The European Union (EU) Cyber Resilience Act (CRA) is fundamentally different. It’s a law that applies to software, hardware, products containing them, and their backend services, if made available on the European market. The law applies regardless of where its developers are located. While technically the CRA isn’t a worldwide law, in practice it’s worldwide, because software is often distributed and used globally. What’s more, failing to comply with the CRA where required can lead to not only a stop in sales, but also steep penalties (up to €15M or 2.5% worldwide annual turnover whichever is greater), and its obligations begin on 2026-09-11.
To help developers of open source software (OSS), the OpenSSF has crafted a CRA Brief Guide for OSS Developers. If you develop OSS, we think you’ll appreciate this straightforward guide. It is not legal advice; rather, it is an overview to help you understand the situation — but understanding is the first step.
The good news is that in many cases the CRA does not apply to OSS. If you are contributing to others’ OSS projects, or publish OSS code in your own repository without monetizing it, you do not have to worry about the CRA at all.
However, the CRA does not exclude OSS. There are cases where the CRA does apply to OSS. In addition, the CRA is going to affect many who use OSS, and we expect there will be an indirect impact on OSS development. For more information, again, see the CRA Brief Guide for OSS Developers.
We in the OpenSSF have other resources you might also find helpful. To learn more about the CRA, we have a free express course “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)”; you can earn a digital badge by completing it. Most developers want the software they create to be secure; to learn how, we encourage you to take our free course “Developing Secure Software (LFD121)”. The Open Source Security Foundation (OpenSSF) has multiple working groups where you can discuss issues with peers. You can also gain knowledge, build tools, documentation, and training to assist in making OSS more secure. We invite you to get involved!
About the Author
Dr. David A. Wheeler is the Director of Open Source Supply Chain Security at the Open Source Security Foundation (OpenSSF), part of the Linux Foundation, and he teaches a graduate course in developing secure software at George Mason University (GMU). He was the lead developer of the OpenSSF courses Understanding the EU Cyber Resilience Act (CRA) (LFEL1001) and Developing Secure Software (LFD121). Dr. Wheeler has a PhD in Information Technology, a Master’s in Computer Science, a certificate in Information Security, a certificate in Software Engineering, and a B.S. in Electronics Engineering, all from George Mason University (GMU). He is a Certified Information Systems Security Professional (CISSP) and a Senior Member of the Institute of Electrical and Electronics Engineers (IEEE). He lives in Northern Virginia.