This guide provides the most up-to-date information on the Cyber Resilience Act (CRA), a European Union law that establishes mandatory cybersecurity requirements for products with digital elements.
If you manufacture, maintain, or steward open source software, you may be wondering how the CRA applies to you. CRA reporting requirements will become applicable on 11 September 2026, with all requirements taking effect on 11 December 2027 — so it’s important to begin preparing now.
About the CRA
The Cyber Resilience Act (CRA) entered into force on 11 December 2024. CRA is a European law created to ensure that software products are designed and maintained with security in mind throughout their lifecycle.
Hardware and software products are increasingly subject to cyberattacks. The inherent security risks of software are not well understood by consumers, yet estimates predict that cybercrime will cost the global economy more than 20 trillion USD by 2026 (Source: Statista).
Manufacturers: a software vendor or a vendor of a physical product with software components. Manufacturers include anyone who is placing a product on the European market, i.e. this is not limited to European companies.
Open Source Maintainers: The EU is in the process of developing guidance on how the law will impact maintainers who monetize an open source project. If you just contribute to open source or do not monetize open source, you will not be impacted directly by the CRA. However, you may experience indirect impact in terms of higher expectations around security.
Open Source Stewards: Code hosting foundations or for-profit organizations that are not monetizing the particular pieces of software they are stewarding.
Not sure where your organisation fits? Check out the CRA FAQ.
Full supply chain compliance has never been required before the CRA. In any kind of software application, about 24% is built in-house or procured and 76% is open source dependencies. The CRA impacts the entire supply chain, including the ~76% of OSS, in every product. This changes everything.
Compliance used to be internal policies and legal agreements with vendors. Now, the whole open source supply chain compliance will have to be brokered.
The fines are severe. Manufacturers will be fined if caught not in compliance. In addition to monetary fines, products will be removed from retail shelves until compliance is met.
CRA Resources
Connect, Learn & Stay Up to Date on the CRA
Community Resources
In response to the evolving regulatory landscape introduced by the Cyber Resilience Act (CRA), the Open Regulatory Compliance (ORC) Working Group has mobilised a dedicated community effort to support open source stakeholders. Recognising the unique challenges faced by developers, maintainers, and organisations, we are collaboratively developing a comprehensive suite of resources designed to demystify the CRA and provide actionable guidance. Our key initiatives, each crafted through community input, empower stakeholders to achieve informed and effective compliance.
CRA Frequently Asked Questions (FAQ)
The ORC community is actively developing this FAQ to address common questions about the CRA’s impact on open source projects. It is a living document that evolves as new insights emerge and as discussions with regulators progress.
Explore CRA FAQsInventory of Standards, Specs, and Best Practices
This evolving resource compiles relevant standards, specifications, and best practices that can help open source projects align with CRA requirements. The community continuously updates and refines this list to reflect the latest regulatory and industry developments.
Help Expand the InventorySummary of the Harmonized Standards
The ORC community is actively summarizing the European Commission's standardisation request issued on February 2, 2025. This document outlines the development of harmonized standards to support the Cyber Resilience Act (CRA), detailing key milestones and responsibilities assigned to European Standardisation Organisations.
Review the SummaryJoin the Discussion
Collaborate with us
The Open Regulatory Compliance (ORC) Working Group is a neutral forum for the open source community - including foundations, maintainers, vendors, users, package managers, among others - and the broader software industry to facilitate CRA compliance.