EU CRA (Cyber Resilience Act)

Posted Jan 2, 2026 21:34 UTC (Fri) by Wol (subscriber, #4433)
In reply to: EU CRA (Cyber Resilience Act) by hailfinger
Parent article: Kroah-Hartman: Linux kernel security work

Stewards aren't affected by the CRA either! READ THE CRA.

Companies have contracts with suppliers. In order for a component to be legal as part of a product, IT MUST HAVE A CRA MARK. And in order to have a CRA mark, there MUST be contracts in place to say who is legally liable.

So as a company, you either pay the foundation, or the project, or the maintainer, for a support contract that includes a CRA mark, or you provide your own CRA mark.

Simply put, without a contract in place the CRA can't touch you. It will, however, clobber any company that uses your product thinking they can offload the responsibility off to you at no cost to themselves. That's by design ...

Cheers,
Wol

to post comments

EU CRA (Cyber Resilience Act)

Posted Jan 2, 2026 22:05 UTC (Fri) by hailfinger (subscriber, #76962) [Link] (9 responses)

> Stewards aren't affected by the CRA either! READ THE CRA.
I did read the CRA. I even commented on it before it became the law and some of my suggestions ended up in the CRA. So yes, I think I can claim that I did read it.

And yes, despite your claims, stewards are affected by the CRA.
Please look at the official text of the CRA, Chapter II, Article 24: "Obligations of open-source software stewards".
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=...

> [...] IT MUST HAVE A CRA MARK
There is no such thing as a CRA mark. Sorry.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 9:31 UTC (Sat) by kleptog (subscriber, #1183) [Link] (4 responses)

I really hope we can avoid a massive discussion CRA here again. This horse has been quite beaten to death. Especially since the whole discussion tends to get mired in the fundamentally different way Europe and the US regulate markets. Europe tends to write out a description of how they want the market to work and then rely on the market participants to keep each other honest. The US tends to be more prescriptive and sets the government up as judge, jury and executioner, and the market participants spend their time trying to figure out how to avoid scrutiny.

Case in point: open source stewards. Who decides who is one? No-one. Don't give yourself that label and you're all set. That text is largely aspirational, it describes how the EP expects open source to work within the CRA framework. Its value is largely in making clear to the CxOs that all those people doing unpaid open-source work are not responsible for their bonuses. For extra clarity, Article 64.10b says stewards can't be fined, even if you could figure out who they are.

European law is largely written by people with no legal training, which means you get a lot of text of dubious legal value. A significant chunk of the Parliament and Council are very careful to make sure the EU (and governments in general) don't actually gain any powers that aren't strictly required. Concentrated executive power (we know from experience) is very risky. Read any contracts before you sign them, that's the most important lesson.

But I can say from personal experience that CRA also has for me also made it way easier to get time for security and software maintenance. Suddenly SBOMs are on the agenda, after years of being summarily dismissed.

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 15:12 UTC (Mon) by poruid (subscriber, #15924) [Link] (3 responses)

Excuse me, but stating that EU law is written by legal nitwits is baseless.

Besides that, the CRA as far as FOSS is concerned, has been modelled to ensure that downstream free riders MUST upstream fixes that the CRA obliges them to provide. That is good, very good.

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:09 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

And while it's a hobby horse of mine, assuming that a lawyer understands the law - even in his own specialty! - is a dangerous thing to do. As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?". The same could be said about lawyers - and once you assume that all your hot-shots are in high powered jobs, what does that say about your average high street doctor or lawyer!!!

Mix a high intelligence, and a good grasp of the detail, and you don't need to be a professional to outperform your typical high-street practitioner.

Mind you, you also need my attitude to electrics - as an okay amateur sparky, my FIRST response to any job is "if I don't understand it, get a professional involved". You can then assess the professional's competence ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 16:39 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (1 responses)

> As a doctor mate of mine once said - "50% of people are below average intelligence, so what does that say about doctors?".

My gripe with this is that they're actually talking about the median. It also assumes doctors are uniformly sampled across the "intelligence spectrum" (as measured by, presumably, IQ) and all the faults with that.

I don't think anyone would say "50% of people at IAS in the 1930's and 1940's were below average intelligence" without also having a footnote of "but all are sampled from the top 1% of the world population". And the internal rankings would certainly differ from those on the outside (cf. Einstein and him ranking Gödel as above himself, IIRC).

EU CRA (Cyber Resilience Act)

Posted Jan 5, 2026 17:37 UTC (Mon) by Wol (subscriber, #4433) [Link]

I don't know that intelligence *should* be a factor in sampling people to become doctors (other than filtering out the subnormal). Certainly in my case intelligence seems to have been a DEselection criteria. I got grades A, B, B, your typical offer iirc was about C, D, D, and your successful candidate typically achieved B, C, C. Certainly I think only ONE of my successful fellow candidates from school got a higher grade.

Absent reliable information one way or the other, I'm happy to assume reasonably random selection (although of course I've missed the fact that school leavers rig the criteria somewhat. That said, so do English Public Schools in the opposite direction, where a lot of people who get good grades come over as "rich and stupid".

However you play it though, my experience of legal work leaves me inclined to put the two letters "in" in front of your average lawyer's competence.

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 10:04 UTC (Sat) by lynxlynxlynx (guest, #90121) [Link]

Yes and no. Consider the definition of a steward:

> (14) ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

It's a long list of conditions that all have to be true for the article to come into play. For the vast majority of small projects using stewards to just host their secrets, a donation account and similar, the criteria won't be met.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 10:17 UTC (Sat) by Wol (subscriber, #4433) [Link] (2 responses)

> (14)

> ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

Which pretty much describes a business that supports open source as its business ... like Red Hat, SUSE or Ubuntu

And your reference basically says they have to have a security policy, which they have to provide to the regulator on request.

To my mind, it's not at all clear what the liabilities of a steward are, beyond providing the said security policy.

> (24) 3. The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

So what happens if the Open Source Steward provides support services but not development resources for Open Source Projects? Take Apache for example, it doesn't look as if they're affected by this ... from what little I know, Apache projects all have their own teams, and Apache just provides an umbrella - which this clause appears NOT to catch.

I'll need to read it again, but I don't see what difference a project joining a foundation would make to the project. It might make a difference to the foundation ...

> There is no such thing as a CRA mark. Sorry.

My bad - but it must have something. There must be some sort of B2B agreement in place which I've taken to calling a CRA mark. The CRA will not look kindly on a business - selling software as part of their product - that does not have a formal agreement in place for its maintenance.

I'll read the CRA again ...

Cheers,
Wol

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 12:16 UTC (Sat) by hailfinger (subscriber, #76962) [Link] (1 responses)

The CE mark is probably what you were looking for. With the CRA a CE mark is also required for "products with digital elements", i.e. (in very simplified terms) anything which can run code or can interact with code or is code.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 13:10 UTC (Sat) by Wol (subscriber, #4433) [Link]

That's where I took it from. In effect what I call the CRA mark, is a CE mark applied to software, no?

Cheers,
Wol