Many open source contributors, maintainers, and communities are anxious about the Cyber Resilience Act (CRA) and its potential impact on open source. It’s easy to feel that these obligations aimed at commercial vendors will somehow end up falling on volunteer maintainers, community projects, and the broader open source ecosystem. But that's not the whole story.

Thanks to strong, coordinated advocacy from the community, the European Commission actually understands the open source ecosystem far better than many believe. The CRA not only clarifies where responsibility lies—squarely on the vendors who profit from open-source components, as it should—but also introduces meaningful tools to improve sustainability, including the new attestation program, which has real potential to channel support back into the ecosystem.

A well-designed law, however, doesn’t mean there will be no impact.

Drawing on direct involvement in the CRA implementation process through the ORC WG and the CRA Expert Group, Tobie will walk through how these changes will affect open source communities in practice, why the underlying structure of the CRA makes sense, and how the open source communities can position themselves to benefit from it if they so wish to deliver more secure software more sustainably.