The Open Regulatory Compliance WG has created new resources on GitHub for those who are just getting started or who want to learn how to contribute. We hosted our first workshop in Brussels, joined the EU Open Source Policy Summit and attended the first CRA Expert Group meeting, had multiple community members present during FOSDEM, and developed a deliverables plan that better defines next steps and how others can contribute.
Timo Perala and Dirk-Willem van Gulik
ORC co-chairs
What’s New
- The first CRA Expert Group meeting was held in Brussels in February with the goal of turning the CRA into action. This group will advise the Commission on issues such as the “implementation guidance” and advice for the implementation of the CRA. Attending members from open source foundations and the IT industry shared reports from the field and outlined due diligence requirements as a critical area for guidance, as well as guidance on components.
- Attendees of the ORC workshop in Brussels drafted a deliverables plan that outlines the community’s next steps. Join the bi-weekly SIG calls to learn more and contribute.
- At the EU Open Source Policy Summit, ORC joined a panel to explore how procedural standards being developed for the Cyber Resilience Act, AI Act, Data Act, and Interoperable Europe Act can align with the development and business models of free and open source software.
- The Standardization Request for the CRA standards was published on 3 February. In this document, the EU directs the European standards organisations to develop specific standards supporting the CRA. The standards development is organized into three milestones with specific deadlines. Read the summary here for the most essential info.
Top Conversations
[open-regulatory-compliance] ENISA 2025-2027 Programming Document Posted by Roman Zhukov
What are the timelines for standards drafting and compliance? Manufacturer FAQ
So I "monetise" on an open source project, what does it mean for me? FAQ – During the CRA Expert Group meeting in Brussels, ORC shared this question as an example of maintainer concerns about the CRA.
Overheard
Upcoming Events
Cyber Resilience SIG | Monday, March 3 (Occurs Biweekly)
Embedded World 2025 | Tuesday, March 11-13 - ORC will be part of the Eclipse Foundation booth, stop by to chat with Juan Rico, ORC Program Manager.
9th Cybersecurity Standardisation Conference | Thursday, March 20 - Tobie Langel is speaking on the panel “Overarching cybersecurity by standards”.
CVE/FIRST VulnCon 2025 & Annual CNA Summit | April 7-10 - Collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.
In the News
What the EU’s new software legislation means for developers - Felix Reda, GitHub Blog
Neues vom Cyber Resilience Act – Ein Blick hinter die Kulissen - Open Source Business Alliance
2024 end-of-year review: policy and standards - Open Source Initiative
Recent Talks
Watch: The CRA has landed. Now what? | View all talks
Welcome ORC Members
The following members joined in January and February 2025:
- Clever Cloud SAS
- Double Open
- Huawei Technologies Co., LTD.
- Mercedes-Benz Tech Innovation GmbH
- Nokia
- Siemens AG
- Sonatype Inc.
How to Participate
