A note on legal advice: This guide is intended for informational purposes only and does not constitute legal advice. If the CRA may affect you or your organization, please consult qualified legal counsel about your specific obligations under the EU Cyber Resilience Act.
Who is this guide for?
- Core Team and other administrative team members
- Committers/Maintainers
- Contributors
What is the CRA?
The EU Cyber Resilience Act (CRA) is a regulation that sets mandatory cybersecurity requirements for hardware and software products sold in the European Union.
It aims to ensure that “products with digital elements” (such as apps, IoT devices, and software) are secure by design and remain secure throughout their lifecycles.
The law places obligations on manufacturers to fix vulnerabilities, provide security updates, and manage risks from development through maintenance.
It also improves transparency for users and introduces certification (e.g., CE marking) to show compliance with cybersecurity standards.
The Act entered into force in December 2024, with a phased compliance timeline which will be complete in December 2027.
How does it affect FreeBSD?
The FreeBSD project itself is outside of the scope of the CRA because it does not place FreeBSD on the market as a commercial product, even though it is intended for commercial end use. The CRA has specific provisions to recognise and protect the important role of open source in making commercial products possible.
The CRA also recognises a role it calls “open source stewards”, which places legal obligations on organizations that support open source products (for example, the FreeBSD Foundation). These obligations relate mainly to encouraging secure development in the open source project and reporting relevant security incidents to the EU Cyber Security Agency, ENISA. Stewards are exempt from fines which would normally apply to manufacturers.
The CRA could affect the FreeBSD project in other ways though. Manufacturers have quite rigorous obligations under the CRA to provide products that are secure by default and to report vulnerabilities rapidly. Non-compliance with these can bring heavy fines. The FreeBSD project may see a number of second-order effects caused by manufacturers who are seeking to ensure their own compliance. This might include an increase in requests for information about FreeBSD’s components (e.g., a request for an SBOM) or requests for details about its development practices. The Project is also likely to be contacted with urgent requests for response relating to any actively exploited vulnerabilities detected in manufacturers’ products that may be traced to the FreeBSD code base.
Do the Core team and other teams have a legal liability under the CRA?
No, the CRA recognizes that open source software is a valuable part of the software industry and has laid out protections for open source projects and their contributors and maintainers so that they are not expected to bear the burden of supporting manufacturers in their compliance obligations.
Does the Foundation have a legal liability under the CRA?
Yes, the Foundation is classed as an open source steward under the CRA. This is a special classification, new to EU law, which places a light set of obligations on organizations that systematically support open source projects. These obligations include having a policy that encourages secure development of the project, and reporting actively exploited vulnerabilities that it becomes aware of. There are no fines on stewards.
What indirect impacts should leadership expect?
Increased expectations from downstream vendors for security processes, documentation, traceability, and timely vulnerability handling.
Am I subject to the CRA if I only contribute to an open source project?
No. Individual contributors are not regulated under the CRA when acting in a non-commercial capacity.
Should I avoid contributing due to CRA concerns?
No. The CRA explicitly aims not to burden non-commercial open-source contributors.
Am I subject to the CRA if I earn a living from contributing to FreeBSD?
Likely no, because the CRA allows you to cover your costs without being considered a manufacturer. However, you should get advice on your own specific situation as there are a number of factors to consider.
Will I need to do anything differently when I contribute to FreeBSD?
Not currently. It’s possible that the development practices of the project overall may adapt in light of the CRA environment, but as long as you are adhering to the published FreeBSD development guidance, you will be doing enough.
Will the FreeBSD project have to change the way it works?
There may be some changes to security and development practices that will help to keep FreeBSD in line with manufacturers’ security expectations as they evolve with the rollout of the CRA.
My question hasn’t been answered. How can I ask it?
Please contact the FreeBSD Foundation in the first instance (not the FreeBSD Security Team) at cra@freebsdfoundation.org.