Linux Foundation and OpenSFF help to implement the requirements of the CRA
The Linux Foundation Europe and OpenSFF are launching a new initiative to jointly develop resources for the implementation of the CRA (Cyber Resilience Act).
(Image: Imilian/Shutterstock.com)
The Linux Foundation Europe and OpenSFF, the Open Source Security Foundation, have announced a new initiative to support various stakeholders in the open source ecosystem in implementing the requirements of the European Union's Cyber Resiliance Act (CRA). Security and compliance guidelines are to be developed and formalized together with maintainers of open source projects, providers of open source software as well as foundations and initiatives.
The CRA came into force in December 2024 and aims to increase the cybersecurity of networked devices in the European Union. (Software) products that are subject to the CRA must fulfill various requirements, such as taking security into account during the design process, reporting vulnerabilities and making dependencies of software packages transparent as part of SBOMs (Software Bill of Materials). The CRA requirements must be fully implemented by the end of 2027.
Videos by heise
Stewards for open source software
Non-commercial open source software is generally exempt from the requirements of the CRA. In an earlier draft of the CRA, the definition of "commercial activity" was still very broad. Organizations such as the Linux Foundation Europe and the Open Source Business Alliance had warned that the CRA in this form would endanger the development of open projects.
In the adopted version of the CRA, the focus is on how a (software) product is brought to market and not on the development process. To this end, the concept of "open source stewards" was introduced, who are not software manufacturers in the traditional sense, but provide support and take responsibility for the security of open source software.
Cooperation beyond the CRA
The new initiative of the Linux Foundation Europe and OpenSFF is in line with this: Mirko Boehm, Senior Director of Community Development at the Linux Foundation Europe, says: "As software becomes more and more regulated worldwide, we feel responsible as stewards of some of the most important open source projects in the world to reduce problems for our maintainers and software vendors who use upstream open source and need to comply with these regulations". This is primarily about the CRA, but the company is confident that it will also be able to respond to future requirements and changes in legislation.
According to the announcement, other companies such as ARM, Ericsson, GitHub, Kusari, the OpenJS Foundation, Red Hat and the Rust Foundation are participating in the initiative. The joint work is organized in the "Global Cyber Policy Working Group". Interested parties from the open source community can take a look at the associated GitHub repository or take part in the discussion on the mailing list or in a Slack channel. (ndi)
