Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation

Leading organizations support global cybersecurity legislation preparedness efforts for open source communities.

BRUSSELS, Jan. 31, 2025 /PRNewswire/ -- Linux Foundation Europe and OpenSSF are excited to announce a global joint initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA) and future cybersecurity legislation targeting jurisdictions around the world. This effort aims to help develop and formalize much needed cybersecurity standards and compliance frameworks to help 100+ million open source communities understand and meet the regulatory requirements outlined in the CRA, with the goal of expanding efforts to address legislation around the world.

The initiative builds on the discussions and outcomes of the recent Open Source Software Stewards and Manufacturers Workshop, where key stakeholders came together to address the critical work needed to align manufacturers, open source projects, and open source software stewards with the requirements outlined in the CRA.

"As software becomes increasingly regulated across the globe, and as the steward for some of the most critical open source projects in the world, we feel the responsibility to reduce friction for our maintainers and software manufacturers leveraging upstream open source to comply with these regulations," said Mirko Boehm, Senior Director for Community Development at Linux Foundation Europe. "While the CRA represents the most immediate priority, our global nature means we can support projects across jurisdictions and prevent the burden of a fragmented regulatory landscape through established community driven standards and tools like those in OpenSSF "

While the initiative is driven by the immediate need to address the EU Cyber Resilience Act, its implications extend far beyond Europe. With cybersecurity now a global concern, the diverse participation from companies across regions, including the United States, APAC, and others, highlights the universal relevance of this effort. The goal is to equip open source communities and manufacturers worldwide with the tools they need to meet not only European requirements but also the evolving security standards in markets around the globe.

"Cybersecurity is a matter of global concern. I am excited to see efforts like the  EU's CRA come online as it touches on topics we've been working to embed within organizations' cybersecurity practices for decades," said Christopher "CRob" Robinson, Chief Security Architect of the OpenSSF. "I firmly believe that the responsibility for these practices rightly falls upon commercial entities to perform and provide, not the upstream open source maintainers. Mature manufacturers should already be doing the majority of the legislated requirements, while those that are not doing them will still have a short runway until the CRA finally goes into effect in 2027."

The EU Cyber Resilience Act sets new regulatory requirements for software security, placing a significant emphasis on the safety and security of digital products sold within the European market. As key players in the global open source community, Linux Foundation Europe and OpenSSF are  taking proactive steps to provide compliance guidance and tooling for maintainers and manufacturers, ensuring they are fully prepared for the act's enforcement.

Key Deliverables and Next Steps

The initiative will focus on several core deliverables over the coming months to help EU policy makers, including:

• Discussing and formalizing cybersecurity specifications: Developing community-driven standards to ensure open source projects can meet the security requirements outlined in the CRA.
• Providing compliance guidance: Offering tools, processes, and best practices to help maintainers, manufacturers, and developers align with the new regulations.
• Implementing compliance processes and tooling: Creating resources to support the open source community in automating and managing compliance with the CRA across upstream projects.

The Linux Foundation Europe and OpenSSF invite the broader open source community to participate in this initiative. To get involved:

• Visit the WG Repository: Global Cyber Policy WG GitHub
• Join Our Slack Channel: #wg-globalcyberpolicy on Slack
• Subscribe to Mailing Lists:
  • Global Cyber Policy WG Mailing List
  • CRA Readiness+Awareness SIG Mailing List
  • CRA Tooling+Process+Formats SIG Mailing List
  • CRA Spec Standardization SIG Mailing List

Supporting Quotes

"As regulatory standards for security continue to evolve, it's crucial that open source ecosystems remain resilient, secure and prepared to meet these requirements. With over 20 million software developers building their applications on the Arm compute platform, we recognize the critical role that open source plays in driving innovation and securing the digital ecosystem. Through Arm's involvement in this new initiative, our goal is to create resources that help open source projects, manufacturers, and developers understand their roles under the EU CRA, while offering tools and best practices to streamline compliance management."
– Megan Knight, Awareness SIG Lead and Director of Software Communities, Arm

"The Cyber Resilience Act will be both a challenge and an opportunity for the software industry and the global open source community. It is fundamentally important to prepare the entire ecosystem and all its participants in due time to meet the expectations set forth by the CRA. Ericsson welcomes the initiative of the Linux Foundation Europe and the OpenSSF to facilitate the development of crucial specifications, tools, and guidance to ensure CRA readiness. We look forward to collaborating with open source foundations, open source stewards, independent projects, and industry partners on this critical endeavour."
 – Per Beming, Chief Standardization Officer, Ericsson

"All open source projects stand to benefit from easily implementable cybersecurity practices," said Felix Reda, Director of Developer Policy at GitHub. "GitHub continues to engage with the European Commission to advocate for and achieve the greatest level of regulatory clarity for open source developers, and initiatives like that of Linux Foundation and OpenSSF are crucial for preparing the community for compliance with the Cyber Resilience Act."
– Felix Reda, Director of Developer Policy, GitHub

"The Cyber Resilience Act is a significant step toward ensuring digital products meet essential security standards. I'm encouraged by its focus on placing liability on organizations that profit from open source software, not maintainers. I'm also excited to see the OpenSSF advancing frameworks like the Security Baseline to support compliance. Cybersecurity is a team effort, and we look forward to collaborating with the EU and the broader community to build a safer world."
– Michael Lieberman, Co-Founder and CTO, Kusari

"Cybersecurity readiness is critical for all open source projects, including those in the JavaScript ecosystem, which powers nearly a billion applications worldwide. The OpenJS Foundation fully supports this initiative to help open source maintainers, manufacturers, and stewards navigate evolving global regulations like the EU Cyber Resilience Act. By equipping developers with the right tools and frameworks, we can ensure that open source remains a secure and trusted foundation for innovation."
– Robin Ginn, Executive Director, OpenJS Foundation

"The CRA represents a step forward in protecting the digital ecosystem. By enforcing strict cybersecurity measures, the CRA provides confidence that products entering the EU market are safer and more resilient, which can mean fewer vulnerabilities and reduced risks for businesses and their customers. However, these rules add new responsibilities and due diligence for organisations in the EU who are using open source projects in their in-scope products. Red Hat believes engaging with open source communities like the OpenSSF will be instrumental in furthering wide-spread adoption of open source software in Europe and globally, as vendors, communities and developers work together to create trustworthy software."
– Vincent Danen, Vice President of Product Security, Red Hat

"The EU Cyber Resilience Act represents a real opportunity for Open Source to embed good security and development practices in our work for the benefit of consumers. We were pleased that the EU recognised the unique role of Open Source Stewards in the development of software, and we now need to rise to the challenge of implementing these forthcoming standards. The work of organisations such as OpenSSF and Linux Foundation Europe is critical in preparing Open Source Stewards for these changes, and their support and expertise will, I'm sure, enable the Open Source community to achieve successful compliance."
– Rebecca Rumbul, Executive Director & CEO, Rust Foundation

About the Linux Foundation

The Linux Foundation is the world's leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world's infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry's most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
[email protected]

SOURCE Linux Foundation Europe