CRA FOSDEM Meetup: Notes and & Next Steps for Open Source Engagement

[Salkimmich]

Below are notes from the 2 in person meetings on CRA at FOSDEM 2025. Please review and provide your own thoughts and discussion on this topic - these are the thoughts and opinions from that small group, and we can continue that conversation here:

1. Workstreams & Community Engagement on GitHub
We are looking to establish focused workstreams and encourage more engagement on our GitHub repository. The goal is to develop clear guidance, actionable resources, and collaborative efforts to navigate the CRA.

To be effective, it was proposed to narrow down our approach to specific personas affected by CRA:

Maintainers – those responsible for sustaining open-source projects
Producers – product developers integrating open-source components
Consumers – end-users and enterprises relying on open-source software

2. Beyond CRA: The Broader Regulatory Landscape
CRA is not an isolated regulation—it intersects with several other EU regulations, including:

NIS2 (Network and Information Security Directive)
AI Act
eIDAS (Electronic Identification and Trust Services Regulation)
EHDS (European Health Data Space)
Rather than focusing solely on the complexity of these frameworks, we should guide users in conceptualizing their role within them.

3. Clarifying Open Questions on CRA Implementation
There is no concrete "definition of done" for the CRA at this time. Many questions remain unanswered, particularly regarding early guidance and implementation timelines.

Key takeaway: When the European Commission refers to "guidance," they mean the Blue Guide, which will be available in 2–5 years. Meanwhile, voluntary compliance measures are gaining traction—although 80% of open-source projects may not be directly impacted by CRA, many want to understand its implications.

We identified two critical needs:

Scope Definition – Clarifying who and what falls under CRA obligations.
Early Guidance – Developing a questionnaire or similar tool to help projects and organizations determine how CRA affects them.

4. Surveillance Authority & Compliance Mechanisms
The CRA requires a surveillance authority to oversee horizontal regulation, but currently, only vertical integration authorities exist. This regulatory gap raises concerns about enforcement and monitoring consistency.

Additionally, companies and projects will need to start considering Product Development Evidence (PDE) to meet EU security requirements, which differ from global regulatory frameworks.

5. Open Source's Role in CRA Compliance
While open-source projects do not have explicit obligations under the CRA, there is a strong incentive for communities, foundations, and maintainers to align with compliance best practices. This will make open-source solutions better market choices and reduce downstream compliance risks.

To support this:

The OpenSSF CRA group can use its outreach to encourage community responses to consultations.
Eclipse and Linux Foundation are working toward a more unified approach, leveraging existing best practices.
Eclipse’s Open Regulatory Compliance (ORC) group is maintaining an evolving FAQ to aid in guidance development.

6. Next Steps & Key Events
KubeCon EU 2025 (April 1-5, 2025) – Keynote on CRA implications for open-source software and vendors.
Collaboration with Eclipse ORC – They are documenting best practices and helping the European Commission with guidance development.
Workstream Development – We aim to grow our working groups to ensure expertise across open-source maintainers, manufacturers, and stewards.