Coordinating Open Source Feedback on the CRA Draft Guidance

The European Commission has published its draft guidance for the implementation of the Cyber Resilience Act (CRA) and opened it for public feedback until March 31st. This consultation represents an important opportunity for the open source ecosystem to help refine how the CRA will be interpreted and applied in practice.

Over the past year, the ORC community has held multiple discussions around the CRA implementation that were turned into practical language provided to the European Commission as part of Eclipse Foundation work at the CRA Expert Group. We are proud to see that many of the suggestions made by our community are reflected in the current draft guidance, demonstrating that collaborative dialogue between regulators and the open source ecosystem can lead to meaningful progress.

At the same time, this draft is not the final step. As with any complex regulatory framework, there are still areas where clarification and improvement would benefit both regulators and the broader ecosystem. The public consultation provides a valuable moment for stakeholders to help ensure that the guidance is both effective and workable for organisations building and maintaining digital products.

What is in the guidance

This guidance document is highly relevant as it addresses many of the CRA’s most controversial topics, including:

• Who counts as a “manufacturer”: the guidance clarifies that responsibility can extend beyond the original developer to companies integrating or rebranding software/components into a product placed on the EU market.
• Treatment of open source software (OSS): it distinguishes voluntary OSS contributors from commercial actors. Pure contributors are generally out of scope, while entities that commercially distribute or integrate OSS into products may assume CRA obligations.
• Scope of “products with digital elements”: the document explains more clearly which software, hardware–software combinations, and embedded components fall under CRA, including when standalone software is considered a regulated product.
• Role of remote or supporting services: it clarifies when cloud or remote services linked to a product are considered part of the product’s cybersecurity context and therefore relevant for compliance.
• How to interpret the “support period”: the guidance gives more detail on how manufacturers should determine and communicate the expected support period, including vulnerability management and security updates during that time.

A Collective Effort

One of the key strengths of the ORC community is our ability to bring together experts from across industry, open source communities and foundations to analyse regulatory proposals and provide constructive feedback.

The European Commission has demonstrated that it is listening to well-founded input from technical communities. This reinforces the importance of continuing to engage constructively and ensuring that the perspectives of open source developers, maintainers, and organisations are represented.

Join the Conversation

The ORC Working Group will use its upcoming meetings to review the draft guidance, consolidate feedback, and coordinate community input before submitting our recommendations to the European Commission.

If you are interested in contributing to this effort, we invite you to join our discussions on the ORC mailing list. Your perspective can help ensure that the CRA guidance supports both stronger cybersecurity and a thriving open source ecosystem.

Together, we can continue demonstrating that open collaboration leads to better policy outcomes.