Step 5: Consider Additional Actions

Evaluate taking further steps to improve your project’s security posture.

While not required by the CRA, projects may want to consider taking further actions to improve their alignment with the CRA’s goals.

Doing so can be extremely helpful to assist downstream users with their own CRA compliance. This can make the project more appealing to those downstream users, as they evaluate options for use in their products’ supply chains.

Some opportunities for additional actions include:

1. Develop CRA “technical documentation”.

• Article 31 and Annex VII of the CRA describe a variety of requirements for “technical documentation.” This refers to specific details to be provided by manufacturers of products with digital elements.

• Projects under open-source software stewards do not have an inherent requirement to develop these “technical documentation” elements. And for those that do, not all of the elements described in Annex VII will be appropriate for all open source projects.

• However, documentation on many of the topics and processes described in Annex VII will be of great help to downstream users of the projects in managing their own CRA compliance.

2. In the future, participate in voluntary security attestation programs.

• Article 25 of the CRA contemplates that attestation programs can be undertaken by developers and users, to assess conformity of open source projects with security requirements and CRA obligations.

• Any such attestation programs would be subject to future rules, yet to be adopted by the European Commission. So this is at present a forward-looking option to consider.