EU Cyber Resilience Act: comments and reactions

September 11 - 11, 2023



OW2's position on the CRA is clear: we are not trying to get all of open source out of scope, but CRA should only apply to direct commercial beneficiaries of OSS deployment. "Full stop", should we add?

For details, please refer to OSI's September 4, 2023 post by Simon Phipps ("Diverse Open Source uses highlight need for precision in Cyber Resilience Act") which  perfectly reflects our vision. We have no other requirements, and fully support its conclusion:

"The Cyber Resilience Act should exclude all activities prior to commercial deployment of software and clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment."

About the Cyber Resilience Act:
The proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act, bolsters cybersecurity rules to ensure more secure hardware and software products. Even though the CRA provides an exemption for open source software developed or supplied outside the course of a commercial activity, there are many remaining challenges in defining the scope of the exemption, which are currently beeing discussed.
Find more about the CRA initial introduction from the EU:

We are collecting below a number of useful links from the press, media and technical blogs to provide some background information on the topic.