CRA and friends: EU product, service and software regulation

The EU Cyber Resilience Act (CRA) applies to products with digital elements but explicitly exempts open source software unless used commercially

Manufacturers have key obligations under CRA including:

• Providing security updates for 5-10 years
• Conducting risk assessments
• Implementing vulnerability management and CVD processes
• Providing documentation to market surveillance authorities

The “steward” role is a new concept introduced to help coordinate between open source projects and regulatory requirements

Simply publishing open source code on platforms like GitHub does not constitute “placing on the market” - commercial activity is required for CRA obligations to apply

Self-assessment is the minimum requirement for most software products under CRA, with stricter requirements for Class 1, Class 2 and critical products

The regulation introduces CE marking requirements for software products in the EU market

Market surveillance authorities have different oversight approaches for open source vs closed source software

CRA enforcement begins after 21 months, with full application after 36 months

Manufacturers must provide Software Bills of Materials (SBOMs) but these don’t need to be public

The regulation aims to establish security baselines while minimizing impact on open source development models