By Madalin Neag, Megan Knight, Philippe Ombredanne, and Roman Zhukov
Over the past few years, the free and open source (FOSS) community has engaged deeply with the CRA, highlighting its significance and potential impact. With the clock ticking towards mandatory compliance, it is essential to move from abstract awareness such as,“Oh no, regulations!” to practical, actionable steps: “Here’s how we actually do this.”
The CRA in Practice DevRoom at FOSDEM 2026 brought together developers, maintainers, stewards, and manufacturers to do just that: explore practical approaches to the upcoming EU Cyber Resilience Act (CRA). With less than two years until the regulation becomes mandatory, the topics in this DevRoom took the conversation from policy awareness to concrete readiness – offering guidance, tooling, and collaboration strategies for achievable, transparent, and sustainable compliance.
We want to begin by acknowledging Roman Zhukov (Red Hat and co-chair of the WG Global Cyber Policy) as the primary driver and main organizer of this DevRoom. His leadership and dedication with the coordination, communication, organization, and logistics for the DevRoom was instrumental for its success.
Our gratitude also goes to the other organizers for their vision and coordination shaping the program and supporting the DevRoom: Megan Knight (Arm; Global Cyber Policy Awareness SIG chair), Philippe Ombredanne and Adam Herzog, and Madalin Neag (OpenSSF).
And thank you to our volunteers for ensuring all of the sessions ran smoothly throughout the day, including Arnaud Le Hors (IBM), Cassie Crossley, Dan Applequist, Götz Martinek, Charlie Dixon (Arm), Jaroslav Reznik (Red Hat).
The DevRoom featured a rich mix of case studies, practical demonstrations, and panel discussions, including the following:
- Deutsche Bahn shared how modular FOSS tools helped them translate CRA obligations into both organizational and technical workflows for a large, complex organization.
- The challenges of multi-vendor EV charging infrastructure were highlighted, showing how compliance can be integrated directly into operational protocols like OCPP to manage tens of thousands of devices efficiently.
- Erlang/OTP and the Yocto Project presented their approaches to CRA readiness for open source and embedded systems, including automated vulnerability scanning, SBOM generation, OpenVEX statements, and lifecycle tracking, illustrating how both community-driven projects and complex hardware/software systems can implement compliance in practice.
- Security attestations were discussed and how, if implemented correctly and with respect for open source communities, they could help manufacturers demonstrate due diligence while supporting ecosystem sustainability.
- Community management, stewardship, and open data sessions emphasized the human and ecosystem dimensions of CRA readiness, showing that practical compliance relies not only on tools but also on structured processes, collaboration, and clear workflows.
- A panel on CRA stewards explored the practical realities of implementing the steward role as defined by the regulation, the responsibilities emerging in practice, and how organizations are approaching this evolving function.
- Separately, a panel on FOSS maintainers focused on the questions that volunteer contributors face: which CRA obligations might affect their projects, how to position projects proactively without formal compliance structures, and how industry stakeholders can support the open source components embedded in their products.
- Sessions on VEX and curated open data demonstrated how accurate, machine-readable information can streamline compliance automation and provide actionable insights for both maintainers and manufacturers.
- Finally, risk management sessions guided participants through assessing product context, identifying assets and threats, and defining risk treatment strategies, highlighting that CRA compliance is ultimately a structured, repeatable, and risk-based practice.
The discussions reinforced that:
- CRA readiness is a shared responsibility.
- Open collaboration, community-driven tooling, and structured workflows enable compliance for projects of all sizes.
- Stewards and foundations play a crucial role in guiding maintainers and contributors, while manufacturers can meet due diligence requirements efficiently.
Effective CRA readiness depends on the right combination of open source tooling, repeatable processes, and collaboration across projects and organizations, ensuring compliance efforts are practical, transparent, and aligned with the principles of the open source community.
The FOSDEM 2026’s CRA in Practice DevRoom successfully translated the EU Cyber Resilience Act from abstract legislation into practical, actionable steps. Attendees left with concrete strategies, reusable workflows, and inspiration to move from uncertainty toward a secure and compliant future.
Special thanks go to all submitters, presenters, and panelists. We apologize that we could not fit all the excellent submissions into the program: every contribution was highly valuable, and the selection process was extremely difficult. We hope to have a full day next year to accommodate everyone!
We also deeply thank the FOSDEM organizers and volunteers for their tireless efforts, and the huge number of participants who joined us, engaged with the discussions, and showed genuine interest in CRA readiness. Your presence, questions, and feedback energized the sessions and reaffirmed the importance of collaboration in the open source ecosystem. Apologies to those who were patiently waiting when the room was completely full – we very much value your interest. On behalf of open source community, a very special thank you goes to the representatives from the EU Commission, EU member states agencies, policymakers, standardization bodies officials who attended and supported CRA in Practice DevRoom, reinforcing commitment to joint, open collaboration as the only way to achieve the CRA goals.
We are already looking forward to repeating this exercise and hope to see you all next year, continuing to build a path toward a more resilient, transparent, and sustainable future for open source software, where practical compliance strengthens communities, fosters trust, and enables innovation across projects of all sizes. For those who could not attend or want to revisit the sessions, all videos from the DevRoom are available at the following link.
About the Authors
Philippe Ombredanne is the lead maintainer of the AboutCode stack of open source tools for Software Composition Analysis and license and security compliance, including the industry-leading ScanCode, DejaCode, PurlDB, Package-URL, and VulnerableCode. Philippe contributes to other open source projects, including the Linux kernel SPDX-ification, SPDX, ClearlyDefined, strace, ORT, and several Python tools.
Megan Knight is the Director of Software Communities at Arm where she leads upstream engagements with open source communities across the stack. She wears a variety of hats including OpenSSF Governing Board Member and Global Cyber Policy SIG Lead, Yocto Project Board Member and Advocacy Chair, UXL Foundation Steering Committee Member, and Zephyr Project Board Member Representative. Prior to Arm, Megan was building the IoT and Automotive open source portfolio at Amazon Web Services.
Roman Zhukov is a cybersecurity expert, engineer, and leader with over 17 years of hands-on experience securing complex systems and software products at scale. At Red Hat, Roman leads open source security strategy, upstream collaboration, and cross-industry initiatives focused on building trusted ecosystems. He is an active contributor to open source security and co-chair of the OpenSSF Global Cyber Policy WG.
Madalin Neag works as an EU Policy Advisor at OpenSSF focusing on cybersecurity and open source software. He bridges OpenSSF (and its community), other technical communities, and policymakers, helping position OpenSSF as a trusted resource within the global and European policy landscape. His role is supported by a technical background in R&D, innovation, and standardization, with a focus on openness and interoperability.