News

Linux Foundation and OpenSSF to Help Developers Navigate EU Cyber Resilience Act

• By John K. Waters
• February 12, 2025

Open-source software developers face new security and compliance challenges as the European Union’s Cyber Resilience Act (CRA) sets stricter requirements for software security. To support developers, Linux Foundation Europe and the Open Source Security Foundation (OpenSSF) have launched a global initiative aimed at helping open-source maintainers and contributors prepare for the regulatory landscape.

The initiative will provide tools, guidance, and automation processes to help software developers align with evolving security standards. With more than 100 million developers contributing to open-source projects globally, the Linux Foundation and OpenSSF emphasize that clear compliance frameworks are essential to ensuring that software remains secure and innovation-friendly.

"The CRA is a major shift in software regulation, and we want to make compliance as seamless as possible for open-source maintainers," said Mirko Boehm, Senior Director for Community Development at Linux Foundation Europe. "Our goal is to equip developers with the resources they need to meet security expectations without unnecessary complexity."

The EU’s CRA, set to take effect in 2027, requires digital products sold in the European market to meet strict cybersecurity standards. This means that developers contributing to open-source projects used in commercial software will need to ensure compliance with secure coding practices, vulnerability management, and documentation requirements.

Christopher Robinson, Chief Security Architect at OpenSSF, stressed that while large organizations may already follow security best practices, independent developers and smaller projects need additional support. "We want to ensure that compliance responsibilities do not unfairly fall on maintainers who contribute their time voluntarily," he said in a statement.

Resources and Next Steps for Developers

To ease the compliance burden, the initiative will focus on:

• Developing security guidelines tailored to open-source projects.

• Providing automated compliance tools to streamline security checks.

• Creating community-driven standards to ensure alignment with global regulations.

"All open-source projects stand to benefit from easily implementable cybersecurity practices," said Felix Reda, Director of Developer Policy at GitHub, in a statement. "GitHub continues to engage with the European Commission to advocate for and achieve the greatest level of regulatory clarity for open-source developers, and initiatives like that of Linux Foundation and OpenSSF are crucial for preparing the community for compliance with the Cyber Resilience Act."

Software developers interested in contributing to the initiative can participate via working groups, Slack discussions, and mailing lists hosted by Linux Foundation and OpenSSF.

"Cybersecurity should not be a barrier to open-source contribution,” said Rebecca Rumbul, Executive Director of the Rust Foundation, in a statement. "By working together, we can ensure that developers have the tools they need to comply with regulations while continuing to build innovative and secure software."