Cyber Resilience Act: ORC Working Group publishes first whitepaper

The Open Regulatory Compliance Working Group (ORC WG), founded by the Eclipse Foundation, has published its first whitepaper. The working group – whose members include renowned companies such as Microsoft, Siemens, Red Hat, and Bosch – was formed due to the emergence of the Cyber Resilience Act (CRA), an EU regulation aimed at increasing the security of products with digital elements.

The whitepaper addresses open questions surrounding the new role of Open Source Software Stewards mentioned in the CRA. The working group emphasizes that the whitepaper is not a legal recommendation but reflects a collective understanding of open-source contributors.

Open Source Software Stewards: Responsibilities and Obligations

As the ORC WG emphasizes in its blog, the Cyber Resilience Act marks a significant shift in cybersecurity responsibilities within the software development ecosystem. Open Source Software Stewards are named as legal actors for the first time in the CRA and are a separate category from manufacturers. Unlike manufacturers, they are not required to pay administrative fines for non-compliance, for example. However, the new role raises several questions, such as what it concretely means in practice and what exact obligations it entails.

For the new whitepaper, members of the ORC community have analyzed and interpreted the CRA text to provide practical guidance and information. Specifically, the whitepaper outlines, for example, the relationship between stewards and the projects they support, and why this role was created. Their obligations are also discussed, and how they differ from those of software manufacturers.

Practical examples are intended to show how Open Source Software Stewards can establish cybersecurity rules in their projects and handle security vulnerabilities and their disclosure. The whitepaper also mentions questions that remain unanswered, such as how to select the appropriate market surveillance authority in complex cases, and where further regulatory guidance is needed.

The 25-page whitepaper "Open Source Software Stewards and CRA" in version 1.0 is available for download on the ORC Working Group website.

Overarching Questions: When is a Steward a Steward?

The whitepaper is exclusively aimed at open-source projects that have a steward. According to the ORC working group, this does not apply to most projects. A steward must be a "legal entity," which can be a company, for example. However, most open-source projects are not supported by companies or foundations. The document also does not serve to determine whether a company qualifies as a steward of a project -- or even as a manufacturer. Such questions are addressed in the ORC Working Group FAQ.

(mai)