Skip to content
TopicTracker
From nesbitt.ioView original
TranslationTranslation

The CRA is not about open source

The Cyber Resilience Act introduces an open-source steward role but fails to provide funding for ongoing maintenance, leaving critical security work unfunded despite new regulatory obligations.

Background

- The **CRA** (Cyber Resilience Act) is a European Union regulation that imposes cybersecurity requirements on products with digital elements — including software — sold in the EU. It was adopted in late 2024, with provisions rolling out through 2025–2027. - The Act includes a specific role for "open-source stewards" — organizations that manage or distribute open-source software (e.g., the Eclipse Foundation, the Apache Software Foundation, or Linux Foundation Europe). These stewards can help their projects comply with CRA obligations. - The criticism, voiced here and elsewhere, is that the CRA creates responsibilities for stewards (documentation, vulnerability reporting, compliance paperwork) but provides **no funding** to do that work. Open-source projects that are developed by unpaid volunteers or understaffed nonprofits now face regulatory pressure without resources to meet it. - The broader debate: The EU says the CRA protects consumers; critics say it burdens open-source infrastructure that the entire tech industry depends on, potentially driving small projects to shut down or move outside EU jurisdiction.

Related stories

  • Jimmy Wales announced that Wikipedia was live at wikipedia.com on January 15, 2001. The site was intended to be a "really quite snazzy" wiki complement to the Nupedia project, offering a more collaborative and less formal environment for building an encyclopedia.

  • Ars Technica reports on the aftermath of the catastrophic failure of Blue Origin's New Glenn rocket, examining the investigation into the cause of the anomaly, the impact on the company's launch schedule and contracts, and the broader implications for the commercial space industry.

  • OpenAI has previewed GPT‑5.6 Sol, describing it as a next-generation model. The announcement provides early details on the system's capabilities and expected advancements over prior iterations.

  • President Trump issued an Executive Order directing the U.S. government to transition to quantum-resistant cryptographic standards within set timelines, requiring federal agencies to inventory their cryptographic systems and develop migration plans to defend against future quantum computing threats.