|
|
Log in / Subscribe / Register

EU CRA (Cyber Resilience Act)

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 10:17 UTC (Sat) by Wol (subscriber, #4433)
In reply to: EU CRA (Cyber Resilience Act) by hailfinger
Parent article: Kroah-Hartman: Linux kernel security work

> (14)

> ‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

Which pretty much describes a business that supports open source as its business ... like Red Hat, SUSE or Ubuntu

And your reference basically says they have to have a security policy, which they have to provide to the regulator on request.

To my mind, it's not at all clear what the liabilities of a steward are, beyond providing the said security policy.

> (24) 3. The obligations laid down in Article 14(1) shall apply to open-source software stewards to the extent that they are involved in the development of the products with digital elements. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewards to the extent that severe incidents having an impact on the security of products with digital elements affect network and information systems provided by the open-source software stewards for the development of such products.

So what happens if the Open Source Steward provides support services but not development resources for Open Source Projects? Take Apache for example, it doesn't look as if they're affected by this ... from what little I know, Apache projects all have their own teams, and Apache just provides an umbrella - which this clause appears NOT to catch.

I'll need to read it again, but I don't see what difference a project joining a foundation would make to the project. It might make a difference to the foundation ...

> There is no such thing as a CRA mark. Sorry.

My bad - but it must have something. There must be some sort of B2B agreement in place which I've taken to calling a CRA mark. The CRA will not look kindly on a business - selling software as part of their product - that does not have a formal agreement in place for its maintenance.

I'll read the CRA again ...

Cheers,
Wol

to post comments

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 12:16 UTC (Sat) by hailfinger (subscriber, #76962) [Link] (1 responses)

The CE mark is probably what you were looking for. With the CRA a CE mark is also required for "products with digital elements", i.e. (in very simplified terms) anything which can run code or can interact with code or is code.

EU CRA (Cyber Resilience Act)

Posted Jan 3, 2026 13:10 UTC (Sat) by Wol (subscriber, #4433) [Link]

That's where I took it from. In effect what I call the CRA mark, is a CE mark applied to software, no?

Cheers,
Wol


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds