Help Measure CRA Awareness: Take the 2026 Cyber Resiliency Survey

Open Source Software in Public Policy

Governments globally recognize cybersecurity’s importance, establishing partnerships and strategies to secure digital infrastructure. However, this attention risks unintentional government policies inconsistent with open-source software (OSS) development and use, often due to a lack of understanding of OSS.

The OpenSSF is a “community of software developers, security engineers, and more who are working together to secure OSS for the greater public good.” This includes the secure development, distribution, deployment, and use of OSS. This short document gives a clear stance on OpenSSF policy work, whether regional or general, as a basis for policy summits, member discussions, and solidarity across our policy representatives.

We, the OpenSSF, take steps to constructively engage with stakeholders worldwide to help improve the security of OSS globally, including working to ensure that OSS will continue to be sustainably available to everyone. This includes responding to government requests for information (RFI), providing expert advice, engaging in processes to develop relevant standards, reporting vulnerabilities/incidents and working to improve related processes, providing fora for discussions and collaboration, and developing educational materials. Per the Linux Foundation bylaws section 8.8, we do not perform any political expenditure or lobbying that might impact our status as a tax-exempt organization.

The OpenSSF focuses on following (per the OpenSSF Public Policy Committee):

  1. Encourage governments to responsibly consume OSS in general and contribute upstream, particularly in areas concerning security
  2. Encourage public funding of OSS ecosystems, particularly targeting security enhancements and maintenance
  3. Encourage OSS consumers to be responsible for OSS security outcomes
  4. Encourage governments to engage with or join OSS communities
  5. Encourage governments to adopt secure-by-design, secure open source software, and software supply chain security best practices as three key pillars of cyber workforce and education strategies
  6. Encourage governments to collaborate, internationally, to secure open source software
  7. Encourage governments to include OSS consumption, contribution, appropriate regulation, engagement, education, and international collaboration as key prongs of their AI strategies, and use AI to accelerate each of these.

We advocate for flexible approaches that are efficient, agile, and enable innovation. We note that many OSS projects have small communities (often only one person) and don’t have a source of finances, so many OSS projects cannot develop extensive documentation or provide specialized responses to regulations without additional assistance. The OpenSSF develops tools, guidance, education, and other materials to make it easier for maintainers and communities to develop more secure OSS.

The OpenSSF has a global focus, with international policy and standards experts who advise and work with our communities. We recognize that cybersecurity concerns transcend political borders and want to address universal challenges that all creators and consumers of software face today.

Global Cyber Policy Working Group

Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.

Governing Board Public Policy Committee

The mission of the Governing Board Public Policy Committee is to provide an avenue for OpenSSF members to collaborate on policy matters related to or that impact open source software. Activities may include, for example, making recommendations on public statements regarding technical documents (including guidelines) published or authorized by public authorities, policy statements such as the U.S. EO, proposed regulations, and draft legislation or documents advancing the joint understanding on these issues in a manner consumable by policymakers.

European Union Cyber Resilience Act

The Cyber Resilience Act (CRA) law entered into force (EIF) on December 10, 2024, when it was published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.

Public Policy News and Updates

TechTalkApr2025

Apr 14, 2025 | OpenSSF

In Blog, Global Cyber Policy

Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy

Open source is the backbone of today’s digital infrastructure—but with great power comes great responsibility. As cybersecurity threats grow in complexity and regulatory landscapes shift globally, open source projects are under increasing pressure to meet stringent security expectations. Read more.
EUCRAMar24

Mar 24, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

What will my business need to do for the EU CRA?

The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EAA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available in Europe and… Read more.
Press Release (Twitter Post) (9)

Mar 18, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

Linux Foundation Research Reports Reveal Wide Spectrum for Cyber Resilience Act Readiness and Compliance

SAN FRANCISCO – March 18, 2024 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the publication of two groundbreaking research reports, both in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe (LF Europe), that explore community-driven strategies to address open source security and the European Union’s… Read more.

Mar 14, 2025 | OpenSSF

In Blog, Global Cyber Policy

OpenSSF Policy Summit DC 2025 Recap

The OpenSSF Policy Summit DC 2025 brought together open source, government, and industry leaders to tackle pressing security challenges. The event fostered open dialogue under the Chatham House Rule, emphasizing shared responsibility and commitment to strengthening the open source ecosystem. A Message from Steve Fernandez, OpenSSF General Manager,  "The OpenSSF… Read more.

Mar 11, 2025 | OpenSSF

In Blog, Global Cyber Policy, Press Release

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

WASHINGTON, D.C. – March 11, 2025 – The Open Source Security Foundation (OpenSSF) successfully hosted its 2025 Policy Summit in Washington, D.C., on Tuesday, March 4. The summit brought together industry leaders and open source security experts to address key challenges in securing the software supply chain, with a focus… Read more.
DoestheEUCRAAffectMyBusiness

Feb 20, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

Does the EU CRA affect my business?

The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EEA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available on the European… Read more.

Feb 6, 2025 | OpenSSF

In Blog, Global Cyber Policy, Guest Blog

Securing Public Sector Supply Chains is a Team Sport

By Daniel Moch, Lockheed Martin Everyone—from private companies to governments—is aware (or is quickly becoming aware) that the security of their software supply chain is critical to their broader security and continued success. The OpenSSF exists in part to help organizations grapple with the complexity of their supply chains, promoting… Read more.
CRA Press Release

Jan 31, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

BRUSSELS – JANUARY 31, 2025 – Linux Foundation Europe and OpenSSF are excited to announce a global joint initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA) and future cybersecurity legislation targeting jurisdictions around the world. This effort aims… Read more.
CRAWorkshopBlog

Dec 23, 2024 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

CRA Stewards and Manufacturers Workshop: Key Takeaways and Next Steps

Last week the Linux Foundation Europe and OpenSSF teams held a workshop focused on the implications of the recently published Regulation (EU) 2024/2847, commonly known as the Cyber Resilience Act or CRA. The 2024 Stewards and Manufacturers Workshop in Amsterdam was a highly successful event where members from across the… Read more.
CRA Blog

Dec 17, 2024 | Christian Horchert

In EU Cyber Resilience Act

CRA Expert Group Composition

Here's a little breakdown of the current CRA expert group composition by country and category. The biggest non-institutional groups are companies, and trade and business associations, most of which are listed as European. Not sure why Philips is listed as a trade organisation, I would put them into the same… Read more.
1 2 3