[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

European Cyber Resilience Act and policy making with the European Commission

Dear Debianites

The European Commission Open Source Programme Office (EC OSPO) is open to hearing our thoughts on the upcoming Cyber Resilience Act (CRA), which aims to ensure that hardware and software products sold in Europe have fewer security vulnerabilities and are appropriately addressed when discovered. The EC OSPO is considering an audience with us, and possibly even with the European Commision itself.

Although the legislation includes an exclusion for non-commercial Open Source software, its impact on commercial products and services based on Open Source software is not entirely clear. This issue has a direct impact on our larger community (especially commercial users) and those who fund Debian work, making it important for us to consider our official position on the matter.

A longer description, along with the current proposal of legal text and annexes are available on the EC website:


Last weekend at FOSDEM, there were a few short presentations on the topic, along with a panel discussion which dives a bit deeper into the topic:


The OSI is maintaining a list of public responses to the CRA from Open Source projects:


As the Debian Project Leader, I would like to form a team to assist with evaluating this and creating a formal response, if necessary. If you are interested in being part of this team, please reach out to me off-list.

Other than that, feel free to share your thoughts or discuss it further on this thread.


Reply to: