In this edition of CRA Mondays, we welcomed John Ellis, President and Head of Product at CodeThink, to discuss the trustworthiness of software in the context of the Cyber Resilience Act (CRA). With extensive experience leading high-performance software projects across industries like automotive, finance, medical, and IoT, John brought a broad and practical perspective to the conversation.

John began with a provocative question: “Why do you trust software?” This simple but powerful prompt set the stage for a discussion on the assumptions we make about technology and how those assumptions can sometimes fail. As he pointed out, even when software is widely deployed and heavily tested, it does not automatically mean it is trustworthy.

Throughout the session, John shared examples of how software vulnerabilities can ripple across industries. He referenced recent high-profile incidents, such as the CrowdStrike outage, to illustrate how failures in trusted systems can have global consequences. These stories underscored the need for more robust approaches to both risk management and regulatory frameworks.

One of the key themes of John’s talk was the gap between testing and trust. “Tested does not equal trustable,” he emphasized, highlighting that while testing is essential, it must be paired with processes that ensure long-term reliability and accountability. He also explored how concepts like insurance risk metrics and cross-industry standards could bring new transparency to the conversation.

The session wrapped up with a lively Q&A, where attendees raised questions about how organizations can communicate CRA concerns to executives, apply trustable software frameworks in practice, and align with regulatory expectations. These exchanges reinforced the importance of building shared understanding across developers, regulators, and businesses.

CRA Mondays continue to provide a space for open source contributors, experts, and community members to unpack the implications of the CRA. If you missed this session, we encourage you to watch the full recording.

See below for the video. Learn more about ORC and join the conversation: orcwg.org.

Watch the Video