What has (can) the EU Cyber Resilience Act done (do) for you?
a day ago
- #Software Bill of Materials
- #EU Cyber Resilience Act
- #Open Source Compliance
- The EU Cyber Resilience Act (CRA) enters full force in 2026-2027, imposing legal requirements on software developers and open source projects.
- The CRA does not spell the end of open source software; instead, it establishes a framework beneficial to well-engineered open source projects.
- Manufacturers must provide a Software Bill of Materials (SBOM) for products with digital elements to ensure transparency and security compliance.
- Open source developers are generally not burdened by formal obligations under the CRA, as per recital 18, unless they engage in commercial activities.
- Open source stewards (e.g., foundations) have responsibilities for infrastructure, bug reporting, and security matters related to their projects.
- Non-compliance can result in penalties like product recalls and fines up to €15 million or 2.5% of global annual turnover.
- SBOMs are crucial for quality assurance, dependency management, and compliance, with tools like Syft, Bomber, and CDXGen available for generation.
- The CRA aligns software engineering with traditional engineering practices, emphasizing code quality, transparency, and security.
- DependencyTrack and other management tools help organizations handle SBOMs and vulnerabilities, especially for non-developer stakeholders.
- FreeBSD is actively preparing for CRA compliance with SBOM tooling, while other BSD projects like NetBSD and OpenBSD have less public initiatives.