The Cyber Resilience Act (CRA) has been European Union law since December of 2024, and it first comes into effect in Fall of next year. As one of the rapporteurs working on harmonized standards for the CRA’s product class specific “verticals”, I want to share how that project is progressing with an emphasis on what the need to meet these standards could mean for Free Software. Free and Open Source Software doesn’t need to comply with the CRA, and even where it must, Open Source projects can almost always self-certify without reference to EU harmonized standards. Despite this, I want to suggest that Free Software should view the CRA as a partner in efforts to make more ethical and more secure software. The relative ease of CRA compliance for Free Software could be part of a Europe-wide move towards the adoption of Free Software technology and values, as well as a tool to increase maintenance funding for FOSS projects.
More important than its role as a sign of EU openness to FOSS development, or its possible use as a new funding tool, the CRA and its standardization process represent an opportunity for Free Software developers to have an impact on global software development and the laws around FOSS products. The drafts for the CRA will be finalized in December 2025, but until then, the rapporteurs and other experts working on them are seeking public input, including from smaller developers and the FOSS community.
This talk encourages Free Software developers to provide comment on the official harmonized standards’ drafts. I will provide instructions on how to access the drafts and comment on the CRA’s vertical standards. I will also discuss a few ways to make that comment effective by understanding key limits of the standards, the standardization process, and the Act.
