February 8, 2024

The FreeBSD community recognizes the importance of cybersecurity measures to safeguard digital infrastructure and protect user data. This is why we have been a leader in security by design for 30 years and why many leading security vendors base their solutions on FreeBSD. 

The European Union Cyber Resiliency Act (CRA) represents a watershed in government regulation of cyber resilience across the EU.

Open source communities, including the FreeBSD Foundation, initially expressed concerns that the CRA could subject open source projects, communities, and developers to the same security procedures and potential fines as commercial entities.

The FreeBSD Foundation gratefully acknowledges the efforts made during the legislative process to raise and address these concerns and welcomes the revisions made in the final version of the CRA. The final version improves important exclusions of open source projects, communities, foundations, and their development and package distribution platforms. 

The FreeBSD Foundation supports initiatives that promote cybersecurity standards and best practices while preserving the principles of openness, transparency, and collaboration foundational to the open source community. We commend the European Union for engaging with open source stakeholders and taking steps to ensure that the CRA strikes an appropriate balance between enhancing cybersecurity and supporting open source innovation.

The FreeBSD Foundation will continue contributing to the ongoing cybersecurity dialogue and collaborate with policymakers, developers, users, and industry to address emerging threats. We do so through active participation in the Open Policy Alliance, active and ongoing engagement with security researchers and entrepreneurs building with FreeBSD, and collaborating closely with other open source security professionals. We believe that through continued engagement and cooperation, we can collectively build a more secure and resilient digital ecosystem for all.

Below please find resources on what the CRA means for open source.