We’re pleased to share that we’ve moved from planning to execution. The Cyber Resilience SIG’s deliverables plan has been expanded with clear, actionable projects, which will each be supported by a dedicated task force. This marks a significant milestone in our collective efforts to operationalise our goals. We invite all interested community members to get involved: whether by joining a task force aligned with your expertise or stepping up as a contributor. Check out the list of current task forces and their leads and reach out directly to participate.
Timo Perala and Dirk-Willem van Gulik
ORC co-chairs
What’s New
- CRA for maintainers webinar was a blast – full of energy, good questions from a deeply engaged audience, and strong support for the community-driven CRA FAQ. It was a standout session in this year’s Maintainer Month.
- The inventory of CRA resources is now under community review. Don’t miss the opportunity to provide your feedback on it.
- Discussions are ongoing across multiple ESO-led meetings (CEN/CENELEC and ETSI), and members of the ORC community are participating to help represent open source perspectives. One highlight: vulnerability reporting is now being tackled by a dedicated task force. If you care about this topic, stay tuned and join the Task Force.
- Inspired by conversations with stakeholders less familiar with how open source operates, the ORC WG has started working on a white paper on types of open source projects.
- Interest in CRA-related discussions is growing across events and conferences. During our latest outreach and engagement call, we talked about ways to coordinate participation and create shared assets to support speakers. You’ll find more details in the meeting minutes.
Top Conversations in the CRA FAQ
- Under the CRA, do I need to notify ENISA of all vulnerabilities in my project? I've heard about a 24h rule - https://github.com/orcwg/cra-hub/issues/32
- Bad evil software with vulnerabilities for training and education - https://github.com/orcwg/cra-hub/issues/235
- I am building an embedded O/S with Yocto and selling a product with it. Is the product an "important product"?- https://github.com/orcwg/cra-hub/issues/193
- What are the implications for stewards that don't comply with CRA - https://github.com/orcwg/cra-hub/issues/216
Overheard
The ORC working group partnered with GitHub to present “The Cyber Resilience Act and Open Source: What Maintainers Really Need to Know” as part of maintainer month.
With over 200 live attendees, 1000+ views in 12 hours following the event, and over 100 comments during the session, it was a great talk shared with our community and allowed us to reach new people.
Upcoming Events
- Digital Enterprise Show | 10-12 June 2025
- Global Collaboration on Wallets and Credentials | 1-2 July 2025 | Geneva
ORC will be partnering with the Eclipse Dataspace Working Group to plan a breakout session, “Sovereignty by Design: Regulatory Compliance, the CRA” on Day 2.
Recent Talks & Events
- CRA Mondays | Olle E. Johansson - The path to a global vulnerability management platform
- The Cyber Resilience Act and Open Source: What Maintainers Really Need to Know
- CRA Mondays | How to stop worrying and love the NLF - Fukami
- CRA Mondays | OWASP SAMM - Maxim Baele
- Automotive Open Source Summit - We hosted an ORC table to share insights on how the CRA may affect open source, connecting with members from various automotive initiatives.
