We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
CRA and friends: EU product, service and software regulation
Learn about the EU Cyber Resilience Act's impact on software products, including compliance requirements, open source exemptions, and new security obligations for manufacturers.
-
The EU Cyber Resilience Act (CRA) applies to products with digital elements but explicitly exempts open source software unless used commercially
-
Manufacturers have key obligations under CRA including:
- Providing security updates for 5-10 years
- Conducting risk assessments
- Implementing vulnerability management and CVD processes
- Providing documentation to market surveillance authorities
-
The “steward” role is a new concept introduced to help coordinate between open source projects and regulatory requirements
-
Simply publishing open source code on platforms like GitHub does not constitute “placing on the market” - commercial activity is required for CRA obligations to apply
-
Self-assessment is the minimum requirement for most software products under CRA, with stricter requirements for Class 1, Class 2 and critical products
-
The regulation introduces CE marking requirements for software products in the EU market
-
Market surveillance authorities have different oversight approaches for open source vs closed source software
-
CRA enforcement begins after 21 months, with full application after 36 months
-
Manufacturers must provide Software Bills of Materials (SBOMs) but these don’t need to be public
-
The regulation aims to establish security baselines while minimizing impact on open source development models