Policy Influence in Action: ORC’s Growing Role

In 2024, the European Union’s Cyber Resilience Act (CRA) entered into force. It’s a sweeping regulation designed to improve the cybersecurity of products with digital elements across the EU market. As the first EU regulation to directly address the lifecycle of digital product security, it holds profound implications for anyone who designs, develops, maintains, or distributes software, including open source developers.

The CRA brings a wide range of obligations: vulnerability handling, secure development practices, risk assessments, and more. It aims to ensure that software and hardware products are delivered with fewer vulnerabilities and are patched more effectively throughout their lifecycle.

While its objectives are well-intentioned, the one-size-fits-all structure of the CRA has raised serious concerns, particularly for the open source ecosystem, where collaboration is global, decentralised, and volunteer-driven. Without careful consideration, the CRA could place undue burdens on maintainers, limit innovation, and unintentionally stifle the very security improvements it seeks to enable.

That’s where the Open Regulation Compliance (ORC) Working Group steps in.

ORC’s Contributions to CRA

The ORC Working Group was established to ensure that open source voices are heard in the development of digital policy. ORC brings together stakeholders from across the open source landscape—foundations, policy experts, industry representatives, and developers—to provide collective input on policy proposals like the CRA.

In the first half of 2025, the ORC Working Group has made six formal contributions to policy initiatives related to the CRA and cybersecurity regulation. Here’s a snapshot:

• Input to the Draft EU Commission Implementing Regulation on the Technical Description of Important and Critical Products: In early 2025, we submitted feedback on the Commission’s draft implementing regulation detailing how to classify “important” and “critical” products under the CRA. Our input emphasised the need for clear, inclusive criteria that reflect the realities of open source software (OSS) development. We urged the Commission to adopt definitions that accurately account for OSS components, ensuring obligations are proportionate and innovation is not inadvertently hindered.
• Contribution to CEN/CENELEC’s Vulnerability Handling Standard (Clause 4.4): We contributed to the development of the vulnerability handling standard from CEN/CENELEC, focusing on Clause 4.4, which addresses coordinated vulnerability disclosure. Our recommendations stressed the importance of flexibility and transparency to accommodate the diverse nature of OSS projects and the varying capacities of their maintainers.
• EU Guidance on Open Source Hardware: We provided input on draft EU guidance that could have far-reaching implications for the open source hardware community. Our comments emphasised the need for inclusive, transparent processes that reflect the realities of collaborative, community-based innovation.
• CEN/CENELEC PT 1 Standard: We submitted detailed comments on the draft standard under preparation by the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC), specifically Technical Committee PT 1. Our feedback focused on clarifying language to ensure open source practices are accurately represented and not inadvertently excluded from compliance pathways.
• Proposed Cybersecurity Act (CSA) Revision: We also responded to the public consultation on revisions to the CSA. Our submission addressed potential implications for open source software development and maintenance models, urging a regulatory approach that fosters collaboration, transparency, and innovation.
• Further Input on General Open Source Guidance: Building on previous engagements, we offered additional refinements to the European Commission’s draft guidance on open source in general. These suggestions aimed to ensure the final guidance remains pragmatic, balanced, and compatible with the diverse range of open source ecosystems active in the EU. Note: As the draft guidance cannot be shared outside of the CRA Expert Group, neither can the comments.

Each of these contributions reflects ORC’s growing role as a trusted voice in policy conversations affecting open source and cybersecurity. ORC brings the perspectives of the open source community into these discussions, advocating for frameworks that enable, rather than inhibit, responsible innovation.

Why This Matters for Open Source Developers

Although the CRA is a European regulation, its implications extend globally due to the foundational role open source plays in digital infrastructure. Because open source components are widely used in commercial products distributed within the EU, maintainers may find their work falling under regulatory scrutiny, even if they are not directly involved in product commercialisation or EU-based activities.

As a result, open source maintainers may encounter increased expectations from downstream users, such as integrators and commercial vendors, who seek evidence of secure development practices, structured vulnerability disclosure processes, or compliance-ready documentation. While maintainers themselves may not hold legal responsibilities under the CRA, the regulation is influencing the norms and demands placed on open source contributors throughout the software supply chain.

This underscores the importance of the ORC Working Group’s contributions to European policy discussions. By advocating for clarity and technical accuracy in how open source software is treated under the CRA, ORC is helping ensure that the regulation supports the sustainability and security of open, community-driven development.

Stay Informed and Get Involved

To stay informed on the CRA and contribute to open source-friendly policy development, visit orcwg.org, where you’ll find updates on upcoming events and opportunities to participate.

For technical and policy details, you can also track all submissions and collaborative work on our GitHub repository.

We appreciate the contributions of all members, collaborators, and reviewers who help make this work possible. Your expertise and engagement are critical to our shared mission of promoting open, secure, and trustworthy digital infrastructure in Europe and beyond. Thank you for being part of the journey.