Open source foundations unite on common standards for EU’s Cyber Resilience Act

A developer writing code
(Image credit: Shutterstock / Elle Aon)

The use of open source software tools is becoming increasingly common today, being used to create many of the most popular platforms for businesses across the world.

However this rise has been an issue for regulation such as the EU Cyber Resilience Act (CRA), as open source software is built independently by programmers outside of their usual work, resulting in a lack of proper documentation.

A particular focal point of criticisms against the original draft of the CRA highlighted that software found to be non-compliant with the act that is built using open source components could deter developers from releasing their work in the future.

New legislation set for 2027

Now, the CRA intends to make sure that products that are connected to the internet stay up-to-date with the latest security updates, as many devices are rushed through to release without proper testing, putting customers at risk of potential cyber attacks. As the original CRA did not adequately factor open source software into the product supply chain, which could result in open source developers being held liable for security vulnerabilities in products that use their software.

A group of seven open source foundations have banded together to create more suitable guidelines for open source as part of the supply chain, making changes to guidelines that were included to protect developers who had no financial incentive for releasing their work.

What counted as a financial incentive, or “commercial activity” as the CRA stated, was open to interpretation particularly for developers creating software under a grant or sponsorship. The group of open source foundations has since helped to revise the CRA to establish a specific terminology for those working for not-for-profit organizations or independently without financial incentives as “open source stewards.”

The group of seven organizations includes the Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation.

Speaking on the changes made to the CRA, Eclipse Foundation executive Director Mike Milinkovich told TechCrunch, “In general, we are pleased with the outcome… the process worked, and the open source community was listened to. One of the most interesting aspects of the final regulation is that it recognizes ‘open source software stewards’ as a form of economic actor which are part of the overall software supply chain.”

“This is the first piece of legislation globally that recognizes the role played by foundations and other forms of community stewards.”

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
NIS2: the GDPR of cybersecurity
A close up of a person typing on a MacBook keyboard.
Best open source software of 2025
Eu
Is your business ready for DORA? Cisco ThousandEyes outlines the "three pillars" everyone needs to have in place to be resilient
Security
Removing software supply chain blind spots that put public sector organizations at risk
EU
“Rehearse, rehearse, rehearse” - is your business doing enough on DORA compliance?
Computer programming code. Programming code abstract technology background of software developer and Computer script.
Eradicating Europe's tech skills gap with no-code technology
Latest in Pro
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
Context Windows
Why are AI context windows important?
BERT
What is BERT, and why should we care?
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does