ORC Monthly: CRA Expert Group, Recent Workshops, and More

By Juan Rico

The Open Regulatory Compliance WG has created new resources on GitHub for those who are just getting started or who want to learn how to contribute. We hosted our first workshop in Brussels, joined the EU Open Source Policy Summit and attended the first CRA Expert Group meeting, had multiple community members present during FOSDEM, and developed a deliverables plan that better defines next steps and how others can contribute.

Timo Perala and Dirk-Willem van Gulik
ORC co-chairs

What’s New

The first CRA Expert Group meeting was held in Brussels in February with the goal of turning the CRA into action. This group will advise the Commission on issues such as the “implementation guidance” and advice for the implementation of the CRA. Attending members from open source foundations and the IT industry shared reports from the field and outlined due diligence requirements as a critical area for guidance, as well as guidance on components.
Attendees of the ORC workshop in Brussels drafted a deliverables plan that outlines the community’s next steps. Join the bi-weekly SIG calls to learn more and contribute.
At the EU Open Source Policy Summit, ORC joined a panel to explore how procedural standards being developed for the Cyber Resilience Act, AI Act, Data Act, and Interoperable Europe Act can align with the development and business models of free and open source software.
The Standardization Request for the CRA standards was published on 3 February. In this document, the EU directs the European standards organisations to develop specific standards supporting the CRA. The standards development is organized into three milestones with specific deadlines. Read the summary here for the most essential info.

Top Conversations

[open-regulatory-compliance] ENISA 2025-2027 Programming Document Posted by Roman Zhukov

What are the timelines for standards drafting and compliance? Manufacturer FAQ

So I “monetise” on an open source project, what does it mean for me? FAQ – During the CRA Expert Group meeting in Brussels, ORC shared this question as an example of maintainer concerns about the CRA.

Overheard

Christopher Jenkins's LinkedIn post: Another great example of cooperation between Red Hat and the wider open source communities. Many thanks to the Open Regulatory Compliance Working Group for hosting such a lively day of collaboration and workshops around the Cyber Resilience Act in Brussels. This image sums up quite a lot … we’re here but we really need to understand what’s next and how we (projects, stewards and manufacturers) can really work together to understand and harmonise the standards together. Did you noticed that I used the word “together“ twice? That’s because we can’t do this in separate, disparate solos - collaboration is key.

Upcoming Events

Cyber Resilience SIG | Monday, March 3 (Occurs Biweekly)

Embedded World 2025 | Tuesday, March 11 - ORC will be part of the Eclipse Foundation booth, stop by to chat with Juan Rico, ORC Program Manager.

9th Cybersecurity Standardisation Conference | Thursday, March 20 - Tobie Langel is speaking on the panel “Overarching cybersecurity by standards”.

CVE/FIRST VulnCon 2025 & Annual CNA Summit | April 7-10 - Collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.

View all events