Skip to main content

đź“© Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!

Open Source Software in Public Policy

Cybersecurity — and specifically software provenance, assurance, and supply chain trust — has gained the attention of governments around the globe. For example, on May 12, 2021, President Biden released an Executive Order (EO) on Improving the Nation’s Cybersecurity that aims to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” In the European Union, the European Union Agency for Cybersecurity (ENISA) seeks “to achieve a high common level of cybersecurity across the Union in cooperation with the wider community.” However, with this increased global attention on cybersecurity, there is a risk that government policies (such as laws, regulations, guidelines, and reports issued by various institutions) could impose measures inconsistent with the development and use of open source software (OSS). Typically (but not always), this is unintentional and is due to a lack of understanding of how OSS is developed, distributed, and used.

OpenSSF supports groups and hosts events for members to collaborate on public policy matters.

Global Cyber Policy Working Group

Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.

Governing Board Public Policy Committee

The mission of the Governing Board Public Policy Committee is to provide an avenue for OpenSSF members to collaborate on policy matters related to or that impact open source software. Activities may include, for example, making recommendations on public statements regarding technical documents (including guidelines) published or authorized by public authorities, policy statements such as the U.S. EO, proposed regulations, and draft legislation or documents advancing the joint understanding on these issues in a manner consumable by policymakers.

European Union Cyber Resilience Act

With publishing as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.

Public Policy News and Updates

DoestheEUCRAAffectMyBusiness

Feb 20, 2025 | OpenSSF

Does the EU CRA affect my business?

The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EEA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available on the European… Read more.

Feb 6, 2025 | OpenSSF

Securing Public Sector Supply Chains is a Team Sport

By Daniel Moch, Lockheed Martin Everyone—from private companies to governments—is aware (or is quickly becoming aware) that the security of their software supply chain is critical to their broader security and continued success. The OpenSSF exists in part to help organizations grapple with the complexity of their supply chains, promoting… Read more.

Jan 31, 2025 | OpenSSF

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

Leading organizations support global cybersecurity legislation preparedness efforts for open source communities. BRUSSELS – JANUARY 31, 2025 – Linux Foundation Europe and OpenSSF are excited to announce a global joint initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA)… Read more.
CRAWorkshopBlog

Dec 23, 2024 | OpenSSF

CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps

Last week the Linux Foundation Europe and OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the… Read more.
CRA Blog

Dec 17, 2024 | Christian Horchert

CRA Expert Group Composition

Here's a little breakdown of the current CRA expert group composition by country and category. The biggest non-institutional groups are companies, and trade and business associations, most of which are listed as European. Not sure why Philips is listed as a trade organisation, I would put them into the same… Read more.
CRABlog2

Dec 11, 2024 | OpenSSF

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 2

In Part 1, we provided a general overview of the CRA and highlighted OpenSSF’s current activities related to its implementation. In Part 2, we’ll take a closer look at the three-year implementation timeline and what lies ahead. Read more.
UnderstandingCRA1

Nov 25, 2024 | OpenSSF

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

With publishing as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) enters into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their… Read more.