February 25, 2026

Please note that the information provided in this document is for informational purposes only and does not constitute legal advice.

The FreeBSD Foundation has launched its Cyber Resilience Act (CRA) Readiness project for 2026 to prepare the Foundation, the FreeBSD Project, and the broader FreeBSD community for the European Union’s landmark cybersecurity legislation. This post provides context for why we are investing in this work now, and information about what the project will cover.

The EU is regulating software security

The EU’s CRA (REGULATION (EU) 2024/2847) represents one of the most significant pieces of software security legislation in recent history. It places commercial software into a regulatory framework for security and, if products are found to be non-compliant, it specifies fines of up to 15 million euros or 2.5 % of a company’s total worldwide annual turnover, whichever is higher. 

Manufacturers are required to manage the security risks posed by their supply chain

For manufacturers the CRA mandates essential cybersecurity requirements with which they must comply during the design, development and production of their products. 

These requirements fall into two main categories, each of which has stringent enforcement:

  1. Products must be secure by default. 

Manufacturers must actively manage the cybersecurity risk across the full lifecycle of their products. They must document how they are doing this (including providing an SBOM) and make it available to the market surveillance authorities. They must exercise due diligence in their use of 3rd-party components such as open source projects. They must provide a declaration of conformity with the CRA on the basis of having carried out an accepted conformity assessment procedure.

  1. Vulnerabilities must be rapidly reported.

Once the product is on the market, manufacturers must act quickly when actively exploited vulnerabilities are discovered. Notifications must be reported on the CRA Single Reporting Platform with deadlines as follows: 24 hours for an early warning notification, and 72 hours for the main notification. Further reporting deadlines also apply within a 14-28 day window.

 

There is a lot more detail provided in the CRA itself, but these headlines are enough to give a clue to the sorts of activities that manufacturers will soon start doing to meet the CRA requirements.

The CRA is already law, with staged compliance deadlines

The CRA entered into force on 10 December 2024. Its main provisions will start applying from 11 December 2027. Reporting obligations come into force on 11 September 2026.

 

Products placed on the market before 11 December 2027 are only subject to the CRA if they undergo substantial modification after that date. Reporting obligations apply to all products with digital elements available in the EU market, including those already on the market before 11 December 2027.

Open source projects have limited CRA responsibilities, but face both opportunities and risks

Open source projects have limited responsibilities

Many in the open source community have been watching this coming down the tracks. The first iteration of the CRA did not mention open source at all. Thanks to feedback from many open source contributors, the CRA now contains robust carve-outs of responsibility for open source projects. 

Happily, individuals who contribute to free and open source projects are exempted from all legal responsibilities, even if they are paid to contribute on a project. 

Organizations that are classified as ‘open source stewards’ have limited responsibilities under the CRA and cannot be fined. The FreeBSD Foundation likely falls under this classification. Individuals cannot be stewards.

The risks to an open source project

Does this mean an open source project has nothing to worry about? For open source projects which are used in downstream commercial software products there are some areas where things might get rough once manufacturers start getting serious about CRA compliance.

One example is a “due diligence denial of service attack”. What happens when many manufacturers aim to carry out a due diligence process on components in their SBOM? A project with a large downstream user base might receive a deluge of requests for information. 

Or, how about when an exploited vulnerability is discovered in your open source project? A manufacturer would have to report it within 24h and your project might receive requests for information, and patch submissions (or demands for fixes!) that come with a lot of pressure attached. Does your project have the processes and staffing for this?

Another, more insidious, possibility is that any open source project that is not prepared for the CRA may simply get swapped out or passed over by manufacturers who see a more-compliant option. This could contribute to putting a project on a downward trajectory.  If you are thinking “my project is too hard to swap out”, consider this –  an unprepared project that cannot be easily swapped out might find that the downstream start making SBOMs just for their fork (this could create all sorts of complexities and upstream queries). 

The opportunities for open source projects

It is not all doom and gloom though. The CRA has the potential to change the power dynamics of the open source landscape. Projects that are proactive in preparing for the CRA will be better positioned to forge new relationships with their downstream users. 

 

When manufacturers need SBOMs, documentation on security processes, and swift vulnerability management responses to avoid eye-watering fines, they may be more incentivized  to support their upstream open source projects. 

 

Projects could secure funding agreements, gain dedicated security staffing support, or establish formal partnerships with manufacturers.

 

Open source projects all over the world are working together to figure this out. After all, it’s what we do. 

 

The FreeBSD Foundation is committed to helping FreeBSD navigate this important change successfully.

The FreeBSD Foundation’s CRA Readiness project

For FreeBSD, getting prepared now means we can take a proactive approach to CRA readiness and leverage as much benefit as possible while reducing potential harms. 

The high-level project goals are: make sure the Foundation fulfills its legal obligations as an open source steward, protect the Project from disruption as manufacturers work to meet CRA requirements, and ensure that our contributors understand they are not personally exposed to legal liability under this legislation.

What we are working on

The project is organized into six workstreams running through 2026:

Security, and vulnerability handling 

This is the core of the effort. Foundation staff will work closely with FreeBSD’s Core team, Security team, and Ports Security team, and downstream vendors to develop a shared understanding of CRA responsibilities and to examine how we collectively respond to CRA-related scenarios. This is a sustained, 12-month effort that takes a holistic view of FreeBSD’s security posture, and will result in updated policies, public positions, and documentation where needed.

SBOM toolchain 

This addresses one of the CRA’s most concrete requirements: Software Bills of Materials. Rather than leaving manufacturers to independently generate their own (potentially inaccurate) SBOMs for FreeBSD-based products, we are building a single, authoritative, open-source SBOM toolchain. This work builds on development started in 2025 under our Infrastructure Modernization project. Over the next four months, we will be adding SBOM information files, identifying and filling licensing gaps, and collaborating with upstream projects to improve SBOM metadata. A shared, accurate SBOM solution is better for everyone.

Public documentation 

This will give manufacturers, maintainers, and contributors clear, FreeBSD-specific information about CRA requirements, including emerging processes and key contacts. The content will evolve as our understanding deepens across the other workstreams.

Community legislative engagement 

This will open up a simple communication channel (most likely a mailing list) so that the FreeBSD community can participate in EU policy development. Bodies like CEN, CENELEC, and ETSI regularly seek input from the open source world, and we want to make sure FreeBSD voices are part of that conversation.

A public-facing project repository 

This will serve as the running record of everything we do. We are committed to transparency: detailed updates, outputs, and decision-making will all be documented here as the project progresses.

Communications 

We will keep the broader community informed through blogs, social media, and other channels as we hit key milestones.

A note on scope

The CRA is new legislation, and real-world guidance on implementation continues to evolve. We have designed this project to adapt as our understanding develops, and though the workstreams above reflect our best current thinking, you should expect the details to shift over time. We will keep you informed as they do.

Learn more