Over the past year, the open source community has made significant progress in understanding and implementing the Cyber Resilience Act (CRA). For manufacturers building products with open source, as well as the projects, foundations, and contributors that sustain it, the CRA introduces new obligations, making visibility into the community’s progress both relevant and necessary. What began as a period of uncertainty has evolved into a coordinated effort to meet the regulation’s 2026 compliance obligations, with the community now shifting its focus from understanding the CRA to putting it into practice.
Tackling early concerns
At the start of 2025, as CRA discussions intensified, the biggest concerns revolved around the numerous "moving pieces" of the CRA and how individual member states would ultimately adopt and enforce the regulation. What was initially perceived as an existential threat driven by unclear obligations and concerns about unintended consequences for open source has evolved into a more workable regulatory framework. Through collective efforts such as the CRA FAQ, which helped establish a common baseline across legal, technical, and community stakeholders, the community has moved from reacting to the legal text to developing a shared, practical interpretation of how the CRA applies to open source software.
This evolving understanding has also reshaped expectations around engagement and accountability. The CRA encourages more active collaboration between manufacturers and open source projects, prompting exploration of approaches like voluntary security attestations. At the same time, the formal recognition of the open source software steward introduces a new governance role that the community is actively working to define. The community launched the Open Source Software Stewards and CRA white paper, offering practical guidance on how steward responsibilities may be approached in line with the regulation.
Focusing on 2026 readiness
With initial obligations, such as vulnerability reporting, coming into force in 2026, the open source community – particularly members of the Open Regulatory Compliance (ORC) working group – is now focused on practical preparation. The year 2026 will be pivotal for:
- Voluntary security attestations: Developing a proposal for voluntary security attestations under Article 25, outlining how open source projects can demonstrate responsible practices.
- Manufacturer due diligence: Clarifying the due diligence obligations for manufacturers under Article 13(5), defining practical ways to collaborate with open source communities.
- Specification development: Creating technical specifications and best practices to help open source projects and foundations meet CRA requirements and align with emerging horizontal standards.
- Training materials: Delivering a training program to equip developers, maintainers, and manufacturers with the knowledge to implement CRA-aligned processes.
The major shift
Looking back, the single biggest change in the community’s understanding of the CRA is the shift in focus: from clarifying the way forward to actively implementing the necessary tools, assets, and processes for compliance. While the full regulatory picture may not yet be complete, the community now possesses enough understanding to deliver a path toward compliance.
Get involved
The Open Regulatory Compliance Working Group is actively welcoming participation from developers, legal experts, project leaders, and industry stakeholders who want to help shape open source compliance in the context of the CRA and other emerging regulations.
Whether you're looking to contribute to voluntary security attestations, develop guidance for open source stewards, or support training and education efforts, your input is valuable.
- Join the mailing list: https://accounts.eclipse.org/mailing-list/open-regulatory-compliance
- Become a member of the Working Group: https://orcwg.org/membership/become-a-member/
- Find other Working Group key resources: https://orcwg.org/participate/
About the Author
Juan Rico
Juan Rico is the Senior Manager for Open Regulatory Compliance, Oniro and Cloud Programs at the Eclipse Foundation. Over the last 10 years, he has been combining technology and business development, defining and deploying digital transformation strategies for energy, consumer devices, and manufacturing companies. These challenges led him to specialise in Disruptive Strategy at Harvard Business School and Innovation Management at Georgia Tech.