Linux Foundation Europe and Open Source Security Foundation (OpenSSF) have announced a global joint initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA) and future cybersecurity legislation targeting jurisdictions around the world. 

The EU Cyber Resilience Act sets new regulatory requirements for software security, placing a significant emphasis on the safety and security of digital products sold within the European market. 

The joint initiative helps develop and formalise much-needed cybersecurity standards and compliance frameworks to help 100+ million open source communities understand and meet the regulatory requirements outlined in the CRA, to expand efforts to address legislation around the world. 

The initiative builds on the discussions and outcomes of the recent Open Source Software Stewards and Manufacturers Workshop, where key stakeholders came together to address the critical work needed to align manufacturers, open source projects, and open source software stewards with the requirements outlined in the CRA. 

Code deliverables and action

The initiative will focus on several core deliverables over the coming months to help EU policy makers, including: 

• Discussing and formalising cybersecurity specifications. 
• Providing compliance guidance.
• Implementing compliance processes and tooling. 

“As the steward for some of the most critical open source projects in the world, we feel the responsibility to reduce friction for our maintainers and software manufacturers leveraging upstream open source to comply with these regulations,” said Mirko Boehm, Senior Director for Community Development at Linux Foundation Europe. 

“While the CRA represents the most immediate priority, our global nature means we can support projects across jurisdictions and prevent the burden of a fragmented regulatory landscape through established community-driven standards and tools like those in OpenSSF. ” 

According to Christopher “CRob” Robinson, Chief Security Architect of the OpenSSF, the responsibility for these practices rightly falls upon commercial entities to perform and provide, not the upstream open source maintainers. 

“Mature manufacturers should already be doing the majority of the legislated requirements, while those that are not doing them will still have a short runway until the CRA finally goes into effect in 2027.”

The Linux Foundation Europe and OpenSSF invite the broader open source community to participate in this initiative. To get involved visit Global Cyber Policy WG GitHub or join slack channel #wg-globalcyberpolicy. 

Lead image: Freepik.