Summary

This article provides guidance on how open source projects can align with the requirements of the EU Cyber Resilience Act (CRA), focusing on strategies and best practices to ensure compliance with security and resilience requirements while preserving the collaborative and transparent nature of their development processes.

Relevant CRA Provisions

• Recitals: Recital 17, Recital 18, Recital 19, Recital 21
• Articles: Article 9, Article 12, Article 24, Article 25, Article 33

Detailed Explanation

The CRA introduces specific provisions to accommodate the unique nature of free and open-source software (FOSS). Recital (17) emphasizes the importance of FOSS in research and innovation, suggesting that the regulation should consider different development models. Recital (18) clarifies that only FOSS supplied for distribution or use in commercial activities falls under the CRA. Recital (19) introduces a light-touch regulatory regime for open-source software stewards, who play a main role in the development of FOSS intended for commercial use. Recital (21) supports the establishment of voluntary security attestation programs to aid manufacturers integrating FOSS components.

Article 12 addresses high-risk AI systems, ensuring they meet essential cybersecurity requirements. Article 24 outlines the obligations of open-source software stewards, including the establishment of a cybersecurity policy and cooperation with market surveillance authorities. Article 25 allows for the creation of voluntary security attestation programs. Article 33 provides support measures for microenterprises and small and medium-sized enterprises, including simplified technical documentation and regulatory sandboxes.

Obligations for Stakeholders

• Open-source software stewards: Must establish and document a cybersecurity policy, cooperate with market surveillance authorities, and provide necessary documentation upon request (Article 24).
• Manufacturers integrating FOSS: Should participate in voluntary security attestation programs to ensure the security of integrated components (Article 25).
• Microenterprises and small enterprises: Can benefit from simplified technical documentation and support from regulatory sandboxes to ease compliance burdens (Article 33).