[open-regulatory-compliance] Update and Call for Contributions: New Vers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[open-regulatory-compliance] Update and Call for Contributions: New Version of the CRA Guide for Open Source

From: Stéfane Fermigier <sf@xxxxxxxxxxxxx>
Date: Wed, 12 Nov 2025 10:12:51 +0100
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

Dear all,

Following the publication of our guide to help Open Source actors understand the Cyber Resilience Act (CRA) at the end of 2024 (an English version of the report is also available), we (CNLL and Inno3) are now working on an updated version.

This new version will incorporate several key developments:

Evolutions regarding the CRA since the initial publication.
Feedback received on the first version.
Three new, more detailed use cases.

The updated and enriched guide will be presented during OSXP 2025 next month.

We Need Your Feedback: Take Our Survey

To gather a broader understanding of the community's perception of the CRA, we have created a short survey. Your input would be highly valuable.

You can access the survey here: https://sondages.inno3.eu/s/cmfzlw902000fsp011yt60egl

Please note that the survey is in French, but you are welcome to provide your answers in English.

The updated report will be published in French, and translated to English.

Key Topics for Further Discussion

Several points require particular attention as we move forward:

The relationship between the CRA and other regulations (e.g., PLD, NIS2).
The definition of an "Open Source steward," which is not limited to non-profit foundations and could apply to companies for software they do not directly commercialize.
The unresolved question of providing free security updates.
Clarification of the concept of "placing on the market."
The distinction between products and services, particularly the implications of "remote processing" for SaaS offerings that include an SDK.

Planned Use Cases

We are planning to study three community project use cases in more detail. The initial list includes the following (subject to the projects' availability to collaborate):

Debian or QGIS
Qt
The Document Foundation / LibreOffice

We look forward to your feedback, on the survey or via email.

Best regards,

Stefane Fermigier - http://fermigier.com/ - http://twitter.com/sfermigier - http://linkedin.com/in/sfermigier
Founder & CEO, Abilian - Enterprise Social Software - http://www.abilian.com/

Co-Founder & Co-Chairman, National Council for Free & Open Source Software (CNLL) - http://cnll.fr/

Co-Founder & Co-chair, Association Professionnelle Européenne du Logiciel Libre (APELL) - https://www.apell.info/

Founder, EuroStack Directory Project - https://euro-stack.com/

Prev by Date: [open-regulatory-compliance] Minutes from the last SIG Call
Previous by thread: [open-regulatory-compliance] Minutes from the last SIG Call
Index(es):
- Date
- Thread

Breadcrumbs