New Course Bridges Knowledge Gap Ahead of Sweeping EU Software Regulations
SAN FRANCISCO, CA – April 29, 2025 – The Open Source Security Foundation (OpenSSF), in collaboration with LF Education, announces the general availability of LFEL1001, a free online course designed to help software developers understand and prepare for the requirements of the European Union (EU) Cyber Resilience Act (CRA). In just one week, the course saw nearly 2,000 enrollments, a 1,600 percent increase over the LF Education cybersecurity course average, reflecting strong demand for practical CRA guidance.
“Security starts with education, and we believe this course empowers teams to begin mapping a path to CRA readiness,” said Steve Fernandez, General Manager at OpenSSF. “It’s not just about avoiding penalties, it’s about raising the baseline of cybersecurity across all software that touches users in Europe and around the world.”
Since its introduction, the CRA has signaled a paradigm shift for commercial software and devices with embedded software sold in the EU. For the first time, it introduces cybersecurity obligations for a broad range of software producers—including some open source projects. CRA not only applies to developers in the EU, but to almost every product with software that’s distributed in the EU. Despite its significance, there is a lack of general awareness around the CRA, with 62 percent of open source stakeholders surveyed in a March 2025 report saying they were “not familiar” or “only slightly familiar” with the CRA.
This knowledge gap comes at a time when technical teams are looking for concrete guidance: according to Linux Foundation Research, 78 percent of organizations using or contributing to open source software expect their responsibilities to change under the CRA, and 96 percent of research respondents agreed that complying with CRA requirements will require new processes or tooling.
“We built this course to help address the serious knowledge gap across the software industry when it comes to CRA readiness,” said Dr. David A. Wheeler, Director of Open Source Supply Chain Security at OpenSSF. “We don’t just say the CRA has requirements—we walk developers and managers through what those requirements actually are, and how they apply to both closed source and open source projects.”
With strong early engagement, LFEL1001 is tailored for developers and technical leaders, providing a practical, detailed look at the CRA’s cybersecurity and vulnerability handling obligations. The course clarifies which open source software falls under the CRA’s scope, how open source software stewards may be affected, and what steps developers should take to prepare for 2026 enforcement and full regulatory compliance in 2027.
“The Cyber Resilience Act represents a pivotal moment not just for the European open source community but for any manufacturer putting products on the European market,” said Gabriele Columbro, General Manager of Linux Foundation Europe. “I commend OpenSSF for quickly addressing the needs of the community with concrete education that will immensely help them understand their obligations and opportunities under the CRA, and ultimately ensure that open collaboration remains a cornerstone of digital innovation in the new era of regulated open source.”
LFEL1001 is available now for free on the Linux Foundation Training website. Developers, project maintainers, and managers across industries are encouraged to enroll.
Course Testimonials
“The Cyber Resilience Act (CRA) regulates the software industry in a way that hasn’t been regulated before. This is a huge change for everyone and will affect everything from software design to maintenance of digital products. Transparency and the focus on the safety and the security of the user will be in the spotlight during the coming months. In a short period, a whole industry needs to go through a change in the ways we work with development and how we maintain our products. Implementing Software Bill of Materials, risk analysis, threat models and reviewing all third-party dependencies will take resources and time from adding new features. This not only affects the technology side, but also the business model of commercial manufacturers that are obliged to provide free security updates during a product’s lifetime. It’s essential that everyone gets basic training and a good overview as a start in this process. The LF Education course LFEL1001, ‘Understanding the Cyber Resilience Act (CRA)’, developed collaboratively within the OpenSSF and available for free, is filling this gap and will help the industry adapt to this new regulated world.”
– Olle E. Johansson, Consultant, Edvina AB, OWASP CycloneDX Industry Working Group
“As software forms the backbone of modern society, ensuring its security and resilience is key. The Cyber Resilience Act (CRA) is a new and upcoming EU legislation aimed at establishing and enforcing secure software development practices for software products on the EU market. Therefore, it is essential for all software manufacturers, large and small, as well as for open source developers to gain a comprehensive understanding of the CRA. The LF Education course LFEL1001, ‘Understanding the Cyber Resilience Act (CRA)’, developed collaboratively within the OpenSSF, serves as an invaluable educational resource in this context: from fostering general awareness of the CRA, providing an overview of roles and responsibilities to summarizing the specific obligations outlined in the CRA. This free course supports all members of the software ecosystem, both manufacturers and open source communities, in preparing for CRA readiness.”
– Georg Kunz, Senior Systems Designer, Software Defined Networking, Ericsson
“The Cyber Resilience Act will have a significant impact on how software is developed, distributed, and maintained—especially for open source. The new LFEL1001 course gives developers and engineering teams the foundational understanding they need to start preparing now. It’s clear, accessible, and designed to help the community navigate this evolving regulatory landscape.”
– Mike Bursell, Co-chair, Global Cyber Policy WG, OpenSSF
“The EU Cyber Resilience Act (CRA) is a seminal legislative act, requiring that software placed on the market has been developed securely and that vulnerabilities are being addressed promptly and transparently. The CRA applies to open source components as well as traditional software providers, and it is imperative that everyone in the software ecosystem is aware of this law and understands their obligations. The OpenSSF and Linux Foundation have created LFEL1001, ‘Understanding the Cyber Resilience Act (CRA)’, a free course intended to increase awareness of the CRA and provide key information that is useful for all open source developers and software manufacturers. This course provides details about the different roles outlined in the CRA along with general information on the obligations and expectations for each of these roles. It is an excellent starting point for those just getting familiar with the CRA, as well as a great resource for those already aware of it who are looking for additional information.”
– Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat
###
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
Media Contact
Noah Lehman
The Linux Foundation