Cyber Resilience Act: Initiative der Eclipse Foundation hilft bei Compliance

Contents

The Eclipse Foundation has announced the launch of the OCCTET project. Behind the name “Open-Source Compliance: Comprehensive Techniques and Essential Tools” is an initiative funded by the European Commission on the Cyber Resilience Act (CRA). It brings together a consortium of industry leaders, cybersecurity experts, and open-source representatives, with the aim of making it easier for small and medium-sized enterprises (SMEs) and developers to comply their open-source software (OSS) with the CRA. To this end, it provides a toolkit of resources.

Companies need to act now – OCCTET can help

As Mike Milinkovich, Executive Director of the Eclipse Foundation, points out in the OCCTET announcement, compliance with the CRA is a multi-year journey that companies need to prioritize now. But even those that understand the urgency often lack in-house expertise.

This is where the new initiative comes in: the soon-to-be-released OCCTET Toolkit is designed to provide comprehensive resources aimed specifically at SMEs. These include a CRA compliance checklist, compliance assessment specifications, automated evaluation of methods and tools, and a federated database platform to publish OSS component assessments and enable multi-stakeholder contributions. Further details on the contents of the toolkit can be found on the OCCTET website, and a mailing list is also available.

IIOT conference in September

Beyond IoT celebrates its premiere in Cologne on September 23 and 24. The conference for IIoT and digitalization, organized by iX and dpunkt.verlag, will feature presentations on topics such as CRA, time series analysis, UNS and Web of Things.

ORC Working Group: New members and first resources

OCCTET is not the only initiative of the Eclipse Foundation in relation to the CRA. The Open Source Regulatory Compliance Working Group (ORC Working Group) is now also offering initial resources to support CRA implementation and compliance. The Working Group has also made an addition: Microsoft and Red Hat are now on board as strategic members, with Google, exkide and Open-Source Matters as additional members.

The ORC Working Group has been in existence since September 2024 and is intended to ensure the relevance and compliance of open-source software, particularly in light of the Cyber Resilience Act. It is under the vendor-neutral management of the Eclipse Foundation, the largest open-source foundation in Europe, and benefits from its official liaison status with the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), as well as its active participation in the European Telecommunications Standards Institute (ETSI) and the European Commission's CRA Expert Group.

Right from the start of the working group, the Eclipse Foundation received support from industry giants such as Bosch, Mercedes-Benz, and Siemens, as well as other open-source foundations, and now has over 50 members, including around 20 open-source foundations. As Milinkovich emphasized in an interview with heise Developer, this kind of collaboration between numerous open-source foundations is probably unique. The ORC Working Group is now bearing the first fruits, which are ready for community review.

On GitHub, the Working Group has published an inventory of resources that are relevant for the development and use of open-source software in accordance with the Cyber Resilience Act. Among other things, the document outlines the principles of security resilience as defined by the CRA and covers topics such as generic security requirements, vulnerability management, and software bills of materials (SBOMs). The document emphasizes that it is a draft that could be updated, replaced, or declared obsolete at any time. It should therefore also be noted when quoting from it that it is a “work in progress.”

CRA introduction with hurdles

Back in the fall of 2023, heise Developer spoke to Mike Milinkovich about the CRA, which was keeping the world of open-source software on tenterhooks at the time, as it could have had a dramatic impact. The CRA has undergone changes from the first drafts to the final version: The responsibility for compliance now lies not with the open-source projects used in the commercial environment, but with the companies that use this software. The changes are due not least to the efforts of open-source organizations such as the Eclipse Foundation and their stakeholders in the industry. As Mike Milinkovich says in another interview with heise Developer, this is the first time anywhere in the world that a new form of economic actor called the “open-source software steward” has been considered in a law.

Basically, the Cyber Resilience Act is a good thing, says Milinkovich: the purpose of the CRA is to improve the cyber security of products sold to consumers and businesses in Europe—and there are too many examples of products that have not met good industry standards for cyber security in their design and implementation, but also in terms of support over the lifecycle of the product. However, the complexity of the implementation will bring a culture shock, as the three-year implementation phase between December 2024 and December 2027 will pass in a flash—“in the blink of an eye.”

(mai)