Guide to the CRA for FreeBSD business users

• FreeBSD vendors/downstream manufacturers of products containing FreeBSD.
• Commercial users of FreeBSD (where FreeBSD is not part of a product they sell).
• Donors to FreeBSD.

The EU Cyber Resilience Act (CRA) is a regulation that sets mandatory cybersecurity requirements for hardware and software products sold in the European Union.

It aims to ensure that “products with digital elements” (like apps, IoT devices, and software) are secure by design and remain secure throughout their lifecycle. 

The law places obligations on manufacturers to fix vulnerabilities, provide security updates, and manage risks from development through maintenance. 

It also improves transparency for users and introduces certification (e.g., CE marking) to show compliance with cybersecurity standards. 

The Act entered into force in December 2024, with a phased compliance timeline which will be complete in December 2027. 

Using FreeBSD in itself does not affect your CRA compliance status. Your compliance status is determined by whether you are considered a “manufacturer” under the CRA. 

You must comply with the CRA if you are a manufacturer or vendor placing products on the EU market (FreeBSD may be part of the product you sell but is not a deciding factor in whether the CRA applies to you).

The CRA usually does not apply to end users of products or open source projects such as FreeBSD, or to hobbyists.

The FreeBSD project itself is outside of the scope of the CRA because it does not place FreeBSD on the market as a commercial product, even though it is intended for commercial end use. The CRA has specific provisions to recognise and protect the important role of open source in making commercial products possible.

The CRA also recognises a role it calls “open source stewards”, which places legal obligations on organizations that support open source products (for example, the FreeBSD Foundation). These obligations relate mainly to encouraging secure development in the open source project and reporting relevant security incidents to the EU Cyber Security Agency, ENISA. Stewards are exempt from fines which would normally apply to manufacturers.

The CRA could affect the FreeBSD project in other ways though. Manufacturers have quite rigorous obligations under the CRA to provide products that are secure by default and to report vulnerabilities rapidly. Non-compliance with these can bring heavy fines (up to: 15,000,000 EUR
or 2.5% global annual turnover). The FreeBSD project may see a number of second-order effects caused by manufacturers who are seeking to ensure their own compliance. This might include an increase in requests for information about FreeBSD’s components (e.g., a request for an SBOM) or requests for details about its development practices. The Project is also likely to be contacted with urgent requests for response relating to any actively exploited vulnerabilities detected in manufacturers’ products that may be traced to the FreeBSD code base.

FreeBSD is not subject to the CRA because it is not a product placed on the market. However, any manufacturer incorporating FreeBSD into its products is responsible for ensuring that all its code (including FreeBSD) is compliant with the CRA. Neither the FreeBSD Project or the FreeBSD Foundation has, or can legally take, responsibility for the CRA compliance of FreeBSD when it is part of a manufacturer product.

Vendors (manufacturers) will need to look at their overall plan for achieving CRA compliance. FreeBSD will likely be just one of the open source components they use to create their commercial product, and a robust plan to cover CRA compliance will need to include all 3rd party code.

You must ensure secure design, perform risk assessments, provide security updates, handle vulnerabilities, and maintain documentation for compliance.

If you are not providing a product containing FreeBSD to the EU market, you are not required to become CRA compliant. 

Vendors that provide services hosted on their own FreeBSD servers may not be subject to the CRA as long as there is no locally installed consumer software. This is a nuanced area and each vendor must assess their CRA obligations with appropriate legal advice.

No, manufacturer status is determined by whether you are placing a product on the EU market. Making donations to the FreeBSD Foundation does not change your status under the CRA.

Manufacturers must produce an SBOM for their product as part of their CRA compliance.

The FreeBSD Foundation has been leading a project to create the toolchain necessary to be able to create a FreeBSD SBOM on demand. You can follow the progress on this work at https://github.com/FreeBSDFoundation/all-projects/tree/main/Cyber%20Resilience%20Act%20Readiness/monthly-updates

As a manufacturer, if you discover an actively exploited vulnerability in your product, and that product is for sale on the EU market, you must report it to ENISA and to your appointed CSIRT. Note that there are very tight deadlines for this process and potentially large fines for non-compliance. 

If that vulnerability is in FreeBSD, please also follow the steps to report a vulnerability given on the FreeBSD website https://www.freebsd.org/security/reporting/.

Under the CRA you will be expected to ensure that there are no known vulnerabilities in any product you have on the market. Be sure to keep your implementation of FreeBSD updated, and apply any security patches released by the project as per https://www.freebsd.org/security/.

Under the CRA, manufacturers are responsible for fixing all code in their product regardless of whether it is originally from a 3rd party or not. 

Additionally, when a manufacturer fixes the code that is present in an upstream open source project they must also offer that fix to the project. The upstream project chooses whether to accept it or not.

The FreeBSD project has a Security Team that handles the process of creating, testing and applying patches to FreeBSD vulnerabilities.

The FreeBSD Security Team does not provide any guaranteed timelines for any of the work it does. All work is done at a pace derived from the nature of the vulnerability, the risk it poses, and the availability of the team members and other contributors. The bias is towards the best possible security outcome and the role of timing is considered when choosing the best course of action.

Yes, the CRA encourages voluntary reporting from anyone.

The project provides information publicly (see links below). 

https://docs.freebsd.org/en/books/developers-handbook/secure/  https://docs.freebsd.org/en/books/handbook/security/ If you require more information than you can find publicly, please contact the FreeBSD Foundation in the first instance (not the FreeBSD Security Team) using the CRA email address cra@freebsdfoundation.org.

Not currently. There is a section of the CRA that proposes “voluntary security attestations” as a mechanism for open source projects to evidence their security practices but it’s currently unclear how this is intended to work. The Foundation is keeping closely aligned with developments in this area. If you are interested in obtaining a security attestation from the FreeBSD Foundation please get in touch at cra@freebsdfoundation.org to discuss your needs.

Please contact the FreeBSD Foundation in the first instance (not the FreeBSD Security Team) using the CRA email address cra@freebsdfoundation.org.