We’re pleased to share that, following active community discussions and collaboration, we have submitted feedback to the European Commission on the Definition of Important and Critical Product Categories. This contribution reflects our collective understanding of how the CRA definitions intersect with open source development and distribution.
Thank you to everyone who contributed time, insight, and expertise to this effort.
Timo Perala and Dirk-Willem van Gulik
ORC co-chairs
What’s New
- Feedback on the Definition of Important and Critical Product Categories was submitted.
- The first CRA Monday session featured Sebastien Heurtematte providing an overview of the OCCTET project. These sessions will take place bi-weekly (details in the community calendar) and proposals for future sessions can be submitted through GitHub - all suggestions are welcome.
- The Cyber Reslience SIG has continues to refine and expand the deliverables plan, which outlines the expected outputs related to CRA engagement. New content includes additional detail on timelines, responsibilities, and links to in-progress work.
- Members of the ORC Working Group participated in the joint CEN/CENELEC–ETSI workshop in Brussels, supporting coordination between European Standardization Organizations (ESOs) on CRA-related work.
- Minutes from the first meeting of the CRA Expert Group are now available.
More recently, a working group of the CRA Expert Group focused on open source brought together a strong group of participants, including companies and foundations from across the ecosystem. Feedback on the meeting was generally positive, with the European Commission demonstrating openness to suggestions and a clear shift toward collaborative problem-solving, particularly on definition-related topics.
- Work on SBOMs continues to gain traction across a range of ecosystems. From OWASP initiatives to distro2SBOM, we’re seeing meaningful contributions emerge in broader and increasingly diverse communities.
- At foss-north Olle E. Johansson and Salve J. Nielsen organised a CRA FAQ booth to gather input from attendees. Their contributions will help inform updates to the community-driven CRA FAQ.
Top Conversations
- Multiple CRA Verticals cover my Product
- I'm worried about the CRA and am considering shuttering my projects, what should I know?
- What implications does “indirect” usage (i.e., as a dependency of a regulated project) create for me?
Overheard
Upcoming Events
- Automotive Open Source Summit | May 13, 2025 | Starnberg, Germany
- Digital Enterprise Show | 10-12 June 2025
- Global Collaboration on Wallets and Credentials | 1-2 July 2025 | Geneva
ORC will the partnering with the Eclipse Dataspace Working Group to plan a breakout session “Sovereignty by Design”. Additional event details will be posted in the coming weeks.
Recent Talks
- The CRA is here. Let's build bridges! - Tobie Langel presented at the Swedish OSPO Network workshop on "Managing implications of the CRA and PLD on Open Source"
- CRA Monday - OCCTET Overview with Sebastien Heurtematte - In this first edition of the CRA Mondays series, Sebastien Heurtematte, OCCTET Project Coordinator, provides an overview of OCCTET—an EU-funded initiative that supports SMEs in meeting cybersecurity compliance requirements under the Cyber Resilience Act (CRA).
- Unpacking the CRA: How the Open Source Community is Collaborating on Open Regulatory Compliance - Tobie Langel stepped in to provide the broader open source community an update on the work ORC is doing in relation to the Cyber Resilience Act (CRA).
Welcome ORC Members
The following members have joined in since our last edition: