The Cyber Resilience Act (CRA) marks a turning point in how Europe approaches the security of digital products.For the first time,it sets clear,horizontal rules across all sectors, requiring that hardware and software placed on the market meet essential cybersecurity
requirements.This is a positive and necessary step toward improving trust in digital technologies,but it also introduces challenges for the open source ecosystem.
The CRA was designed primarily with traditional manufacturers in mind.Its requirements for security, documentation, and accountability were written for commercial supply chains, not for globally distributed communities of volunteers and foundations building open source software.This mismatch created uncertainty across the ecosystem: How could open source contributors, who often work without direct commercial intent, fit into a regulation that assumes there’s always a “manufacturer” at the top of the chain?
It’s in this complex space that the Open Regulatory Compliance (ORC) Working Group, hosted by the Eclipse Foundation, has emerged as a key forum for collaboration, learning, and action. ORC brings together over 60 institutions, including, for the first time,20 different open source foundations to work on one shared goal: making CRA compliance understandable, achievable, and aligned with the reality of open source development.
Together, they are demonstrating that the most effective way to reduce compliance friction is through cooperation. With the right collaboration and shared understanding, it can become a catalyst for quality, security, and trust. The ORC Working Group has become the platform where foundations can exchange best practices, identify gaps in standards, and help regulators understand how open source actually operates.
Why foundations are essential to CRA implementation
The CRA introduces new expectations around vulnerability handling, documentation, and security assurance. For individual developers or small projects, these requirements can seem challenging. However, open source foundations are uniquely positioned to provide structure, continuity, and governance that make compliance possible at scale.
As open source software stewards, foundations already serve the communities managing legal frameworks, ensuring project sustainability, and supporting secure development practices. Organisations such as The Apache Software Foundation, OWASP, the Python Software Foundation, Eclipse Foundation, and many others exemplify this role. By providing governance structures, coordinated security policies, and long-term project continuity, these foundations enable developers and organisations to work confidently within shared frameworks.
This collective approach avoids fragmentation and helps ensure that all open organising early and speaking collectively, open source foundations can help shape how policy is implemented rather than simply reacting to it. The collaborative model established by ORC provides a template for how the open source ecosystem can continue to thrive under new regulatory realities: grounded in transparency, built on trust, and guided by shared responsibility. As the CRA moves toward implementation, the message from the open source community is clear: we are ready to engage,to adapt, and to help build the resilient, secure, and innovative digital future that Europe envisions.
In summary, the Cyber Resilience Act challenges us to think differently about how open source and regulation can coexist, and also how the open source foundations need to coordinate to collaborate, share learning, and have mutual respect among all stakeholders (foundations, developers, and policymakers).
When open source foundations work together, compliance becomes not just possible, it becomes an opportunity to strengthen the entire digital ecosystem.
About the Author
Gaël Blondelle is an open source advocate with 20 years of experience. He joined the Eclipse Foundation in 2013 and is now Chief Membership Officer. In 2024, he joined the board of the Open Source Initiative where he serves as Secretary. Previously, Gaël co-founded an open source start-up where he served as CTO, and led open source business development for a systems integrator. At the Eclipse Foundation, his mission is to help organisations embrace open source, fostering innovation through openness and collaboration. Learn more about Gael’s work : https://orcwg.org/