On August 15, 2025, GitHub’s Open Source Friday series spotlighted the Open Source Security Foundation (OpenSSF) in a live interview hosted by Kevin Crosby. Open Source Friday is GitHub’s weekly program that celebrates the creators, maintainers, and contributors who make the open source community thrive. The session introduced the OpenSSF Global Cyber Policy Working Group and the OSPS Baseline, raising awareness of how these community-driven efforts help developers, maintainers, and policymakers navigate new global cybersecurity regulations like the EU Cyber Resilience Act (CRA).
The session brought together:
- Madalin Neag — EU Policy Advisor, OpenSSF
- Christopher Robinson (CRob) — Chief Security Architect, OpenSSF
- David A. Wheeler — Director of Open Source Supply Chain Security, OpenSSF
This Open Source Friday session focused on the OpenSSF Global Cyber Policy Working Group (WG), a community-driven effort that connects open source maintainers, security experts, and policymakers worldwide.
The group was formed in response to growing global cybersecurity regulations, with the EU Cyber Resilience Act at the forefront.Â
The conversation explored:
- Why the Working Group was created
- How global policies like the CRA affect open source projects and maintainers
- Key challenges facing developers, manufacturers, and organizations
- Tools, resources, and trainings available to the community
“Our mission is to help the community understand new laws and frameworks, while also explaining to policymakers how open source works.” Christopher Robinson (CRob)
Highlights
What the OpenSSF Global Cyber Policy Working Group Does
The Working Group supports the open source community by:
- Tracking global cybersecurity regulations and frameworks
- Providing resources, guidelines, and training to developers
- Engaging policymakers to ensure open source realities are understood
- Advocating for transparency, collaboration, and interoperability
The EU Cyber Resilience Act: Why It Matters
The EU CRA introduces significant cybersecurity requirements for digital products and services across Europe, including:
- Mandatory security measures throughout a product’s lifecycle
- Five years of security updates for covered products
- Obligations for manufacturers to address vulnerabilities proactively
- Acknowledgment that non-commercial open source projects are mostly exempt
- Creation of a new “steward” role for maintainers of critical open source components
“Even if you are not in the EU, the CRA applies the moment you sell into the EU. In many ways, it’s becoming a global law.” – David A. Wheeler
Challenges & Opportunities
The panel discussed several ongoing challenges:
- Awareness gaps – A recent study revealed 72% of companies didn’t know when CRA requirements take effect.
- Fragmented global policies – Multiple regions, including the U.S., India, China, and Australia, are introducing separate laws, making compliance complex.
- Closed standards – Many key CRA-related standards remain behind paywalls, making it harder for developers to prepare.
- Despite these challenges, the OpenSSF team stressed that collaboration, open tooling, and proactive education are key to success.
Resources for Developers & Organizations
The Working Group has released several free, open resources to support developers and companies preparing for the CRA and other cybersecurity regulations:
- Free Training Course – Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
- Course on Developing Secure Software
- CRA Brief Guide for OSS maintainers and contributors
- Security Baseline Framework – A set of foundational practices that map across global standards and compliance frameworks
These resources are designed to reduce complexity, increase awareness, and help both upstream projects and downstream manufacturers stay prepared.
What’s Next?
As more countries explore CRA-inspired regulations, cybersecurity and open source policy will remain top priorities. The panel highlighted three major trends to watch:
- Global influence of the CRA – Other regions are drafting similar policies, potentially shaping a new worldwide standard.
- Government recognition of open source as critical infrastructure – Collaboration between public institutions, private companies, and open source maintainers is growing.
- AI in secure development –Â AI-powered tools are becoming essential, but also introduce new compliance and security considerations.
Get Involved
The OpenSSF Global Cyber Policy Working Group is open to everyone. You don’t need to be a Linux Foundation member to participate.
Here’s how you can engage:
- Visit the OpenSSF Cyber Policy WG GitHub Repository
- Join the community on Slack and mailing lists
- Participate in weekly discussions
- Take free OpenSSF courses and share your experiences
“Show up, ask questions, and get involved. The more voices we have, the stronger our impact will be.” – Madalin Neag
This Open Source Friday session gave the community a closer look at how OpenSSF is working to prepare developers, maintainers, and organizations for an evolving cybersecurity landscape.
The EU CRA represents a significant shift in computing, but with collaboration, education, and shared resources, the open source ecosystem is better equipped to meet these new challenges. By working together through groups like the OpenSSF Global Cyber Policy Working Group, the open source community can stay ahead of these changes. Get involved today, and help shape the future of secure, resilient open source software. If you missed the session, you can watch the replay here and explore OpenSSF’s resources to get started today. Thanks to everyone who joined us live. Stay tuned for more information on Cyber Resilience Act topics!