DEVOPSdigest

Linux Foundation Europe and OpenSSF announced a global joint-initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA) and future cybersecurity legislation targeting jurisdictions around the world.

This effort aims to help develop and formalize much needed cybersecurity standards and compliance frameworks, to help 100+ million open source communities understand and meet the regulatory requirements outlined in the CRA, with the goal of expanding efforts to address legislation around the world.

The initiative builds on the discussions and outcomes of the recent Open Source Software Stewards and Manufacturers Workshop, where key stakeholders came together to address the critical work needed to align manufacturers, open source projects, and open source software stewards with the requirements outlined in the CRA.

“As software becomes increasingly regulated across the globe, and as the steward for some of the most critical open source projects in the world, we feel the responsibility to reduce friction for our maintainers and software manufacturers leveraging upstream open source to comply with these regulations," said Mirko Boehm, Senior Director for Community Development at Linux Foundation Europe. "While the CRA represents the most immediate priority, our global nature means we can support projects across jurisdictions and prevent the burden of a fragmented regulatory landscape through established community driven standards and tools like those in OpenSSF ”

While the initiative is driven by the immediate need to address the EU Cyber Resilience Act, its implications extend far beyond Europe. With cybersecurity now a global concern, the diverse participation from companies across regions, including the United States, APAC, and others, highlights the universal relevance of this effort. The goal is to equip open source communities and manufacturers worldwide with the tools they need to meet not only European requirements but also the evolving security standards in markets around the globe.

“Cybersecurity is a matter of global concern. I am excited to see efforts like the EU’s CRA come online as it touches on topics we've been working to embed within organizations’ cybersecurity practices for decades," said Christopher “CRob” Robinson, Chief Security Architect of the OpenSSF. "I firmly believe that the responsibility for these practices rightly falls upon commercial entities to perform and provide, not the upstream open source maintainers. Mature manufacturers should already be doing the majority of the legislated requirements, while those that are not doing them will still have a short runway until the CRA finally goes into effect in 2027.”

The EU Cyber Resilience Act sets new regulatory requirements for software security, placing a significant emphasis on the safety and security of digital products sold within the European market. As key players in the global open source community, Linux Foundation Europe and OpenSSF are taking proactive steps to provide compliance guidance and tooling for maintainers and manufacturers, ensuring they are fully prepared for the act’s enforcement.

The initiative will focus on several core deliverables over the coming months to help EU policy makers, including:

- Discussing and formalizing cybersecurity specifications: Developing community-driven standards to ensure open source projects can meet the security requirements outlined in the CRA.

- Providing compliance guidance: Offering tools, processes, and best practices to help maintainers, manufacturers, and developers align with the new regulations.

- Implementing compliance processes and tooling: Creating resources to support the open source community in automating and managing compliance with the CRA across upstream projects.

The Linux Foundation Europe and OpenSSF invite the broader open source community to participate in this initiative.