Recently, I spoke at the Free and Open Source Developers' European Meeting (FOSDEM) 2026 on “First steps towards Cyber Resilience Act (CRA) conformity: A practical introduction to cybersecurity risk management.”
Over the past few years, the free and open source (FOSS) community has engaged deeply with the CRA, highlighting its significance and potential impact.
The Cyber Resilience Act (CRA) represents a significant evolution in the European Union’s approach to product cybersecurity and software supply chain risk. Article 25 explicitly recognizes the unique role of free and open source software (FOSS) and seeks to facilitate compliance for manufacturers by enabling voluntary security attestation programmes for FOSS.
The European Commission has released an information website on CRA implementation: https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation The Commission has also published the first version of the FAQ: https://ec.europa.eu/newsroom/dae/redirection/document/122331
By Madalin Neag, Kate Stewart, and David A. Wheeler In our previous blog post, we explored how the Software Bill of Materials (SBOM) should not be a static artifact created...
At the end of October, the Linux Foundation, the Linux Foundation Europe and OpenSSF will gather leaders across industry, government, and open source communities for three impactful events in Belgium. Together, these back-to-back gatherings will advance collaboration, shape policy, and highlight the critical role of open source in Europe’s digital future.
On August 15, 2025, GitHub’s Open Source Friday series spotlighted the Open Source Security Foundation (OpenSSF) in a live interview hosted by Kevin Crosby. Open Source Friday is GitHub’s weekly program that celebrates the creators, maintainers, and contributors who make the open source community thrive. The session introduced the OpenSSF Global Cyber Policy Working Group…
Specialized software, such as software in medical devices, has been regulated for years. But laws on specialized software affected very few developers. The European Union (EU) Cyber Resilience Act (CRA) is fundamentally different.
