Open source foundations unite on common standards for EU’s Cybersecurity Resilience Act

Seven open source foundations are coming together to create common specifications and standards for the European Cyber ​​Resilience Act (CRA), a regulation adopted by the European Parliament last month.

The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation have revealed plans to pool their collective resources and connect the dots between existing security best practices in open source software development – and to ensure that the much-maligned software supply chain is up to par when the new legislation comes into force in three years.


It is estimated that between 70 and 90% of software today is made up of open source components, many of which are developed for free by programmers, at their own pace and expense.

The Cyber ​​Resilience Act was first unveiled in draft form almost two years ago, with the aim of codifying cybersecurity best practices for hardware and software products sold in the European Union. It is designed to force all manufacturers of Internet-connected products to stay up to date with all the latest security patches and updates, with penalties for gaps.

These sanctions for non-compliance include fines of up to €15 million, or 2.5% of overall turnover.

The legislation, in its initial form, drew strong criticism from many third-party organizations, including more than a dozen free software industry organizations that wrote an open letter last year asserting that the law could have a “chilling effect” on software development. The bulk of the complaints focused on how “upstream” open source developers could be held responsible for security flaws in downstream products, thereby dissuading volunteer project maintainers from working on critical components for fear of legal retaliation ( (which is similar to the concerns that abounded around the EU AI law which was given the green light last month).

The language of the CRA regulation provided some protections for the open source domain, in that developers not concerned with commercializing their work were technically exempt. However, the language was open to interpretation depending on what exactly fell under the “commercial activity” banner: would sponsorships, grants, and other forms of financial assistance be considered, for example?

Some changes were ultimately made to the text, and the revised legislation substantially addressed concerns by clarifying exclusions for open source projects.

Although the new regulations have already been approved, they will not come into force until 2027, giving all parties time to meet the requirements and iron out some of the finer details of what is expected of them. And that’s why the seven open source foundations are coming together for the moment.


The way many open source projects scale means that they often have spotty (or non-existent) documentation, making it difficult to support audits, as well as making it difficult for manufacturers and downstream developers to develop their own CRA processes.

Many more well-resourced open source initiatives already have decent best practice standards in place, related to things like coordinated vulnerability disclosure and peer review, but each entity can use different methodologies and different terminologies. By coming together, this should go some way towards treating open source software development as a single “thing” bound by the same standards and processes.

Add to this other proposed regulations, including the Securing Open Source Software Act in the United States, and it is clear that various foundations and “open source stewards” will be subject to greater scrutiny for their role in the software supply chain.

“Even though open source communities and foundations generally adhere to and have historically established industry best practices for security, their approaches often lack alignment and comprehensive documentation,” the Eclipse Foundation wrote in a statement today. blog post. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.

The new collaboration, although initially made up of seven foundations, will be led in Brussels by the Eclipse Foundation, which hosts hundreds of individual open source projects covering development tools, frameworks, specifications, and more. Foundation members include Huawei, IBM, Microsoft, Red Hat and Oracle.


Back to top button