Join us at Open Source SecurityCon Europe on March 23, 2026

First Steps Towards Cyber Resilience Act Conformity: Biking the CRA with Balena at FOSDEM 2026

By March 11, 2026Blog, Guest Blog

This blog was originally published on blog.balena.io written by Harald Fischer and modified for OpenSSF

Recently, I spoke at the Free and Open Source Developers’ European Meeting (FOSDEM) 2026 on “First steps towards Cyber Resilience Act (CRA) conformity: A practical introduction to cybersecurity risk management.”

To make the Cyber Resilience Act (CRA) easier to understand, I used bicycles as a metaphor for how to approach cybersecurity risk.

Key Points from My Talk:

  • It’s not only information security that needs to be considered, but also other aspects like the health and safety of users.
  • It’s important to understand the product’s risk over its full lifetime (which could span multiple years).
  • There is a legal obligation to produce technical documentation.
  • The first step is to start with your product. Be clear on the function, integration, and user profile.
  • Communicate clearly the remaining cybersecurity risks to your users.

You can view the full talk here (<13mins.), along with the extended slide deck.

Thank you to everyone who came to my talk in person (and watched online).

What I Learned About the CRA at FOSDEM

From attending the other CRA sessions and many interesting hallway conversations, I noticed some common themes:

  • There’s a tendency to rely on automated tools, which can numb the awareness of the underlying manual processes. We must continue to focus on manual work, such as understanding who our users are (user profiles), how systems operate (operational environments and system functions), and where the real potential risks lie.
  • The fundamental risk assessment for digital products isn’t on top of the developer’s minds. They’re kept busy shipping features on time, fixing bugs, handling incidents/outages.
  • Open Source maintainers view corporate involvement as a good and bad thing at the same time. Organizations face legal mandates to upstream vulnerability fixes (benefiting all), but some can treat volunteer maintainers like third-party vendors, demanding security questionnaires without contributing much themselves.
  • There’s still a large disconnect between Open Source, new standards, and real industry needs.

Working with the OpenSSF Community on CRA

Since the beginning of 2025, balena has been an active member of the Open Source Security Foundation (OpenSSF). We understood early that the Cyber Resilience Act (CRA) challenges would affect many members of the open source community, including ourselves. We prefer to work on the CRA within a community rather than in isolation. Consequently, I have been active with the OpenSSF Global Cyber Policy Working Group ever since.

I had the opportunity to volunteer at the OpenSSF booth at FOSDEM. The booth was so busy that we ran out of CRA stickers and flyers by Saturday morning – just a few hours into the conference! I was thrilled that many attendees stopped by to continue the discussion about my presentation and to make new connections.

I want to thank Susan Remmert from the Linux Foundation for organizing the booth. Thanks to Kris Borchers for the invitation and the excellent company at the OpenSSF booth. It was also great to see Roman Zhukov (Red Hat) stop by despite his hectic schedule!

Roman Zhukov, Kris Borchers, and Harald Fischer at the OpenSSF booth at FOSDEM.

A Remarkable Experience at FOSDEM

FOSDEM is widely recognized as the largest free open source community event. It would not be possible without the efforts of all the volunteers. In particular, I’d like to thank the ‘CRA in practice’ developer room organizers for all the hard work they did: Roman Zhukov, Madalin Neag, Megan Knight, and Philippe Ombredanne.

Experiencing FOSDEM in-person was… interesting! Being turned away from full capacity sessions, long queues for food, being crushed in the hallway, and the unmistakable aroma of 8000+ techies were just some of the challenges. However, the deep dives and technical insights into open source and the energy of being surrounded by such approachable passionate smart folks, made the experience so valuable.

Relevant Links