Introduction

Key takeaways and best practices

  • Determine whether your project develops materials intended for use in an “important” or “critical” product.

  • Establish and follow a written security policy for your project.

  • Provide notifications about the project’s actively exploited vulnerabilities and severe IT system incidents.

  • Upon request, cooperate with EU “market surveillance authorities” to mitigate security risks.

  • Consider additional voluntary steps, such as developing CRA “technical documentation” and participating in security attestation programs.

Overview

The European Union enacted the Cyber Resilience Act, or CRA, in 2024. Its obligations go into effect during 2026 and 2027.

The CRA imposes cybersecurity obligations on the development of “products with digital elements”, which essentially means software and hardware products that have functionality for remote data processing (e.g., network interaction). The CRA’s main focus is on “manufacturers” of products with digital elements.

The CRA is the first EU legislation that recognizes the concept of what it calls “open-source software stewards”, which are organizations whose purpose is to provide ongoing support to the development of open source projects.

Open-source software stewards are not considered “manufacturers” under the CRA. However, open-source software stewards do have certain responsibilities tied to ensuring that their projects are developed in a manner that supports secure development practices in the downstream products that use and incorporate them.

The following pages provide guidance for how projects hosted by an open-source steward can align with the CRA’s requirements.

Caveats

As described above, the following guidance is focused on the CRA’s requirements for OSS projects that are supported by “open-source software stewards”.

Not all project governance structures are necessarily in line with the CRA’s definition of “open-source software stewards.” Therefore, the CRA may operate differently for other project governance structures, such as:

  • open source projects hosted by an individual or commercial company

  • open source projects hosted by a community without a formal legal entity

  • manufacturers of products that incorporate open source projects

Alternative project governance structures should consult with their own legal counsel to understand how the CRA applies to their models. The following guidance is particularly intended for open source projects hosted by the Linux Foundation and its related entities.