EU Cyber Resilience Act (CRA)-draft

This page explains how you should engage with FreeBSD when you are working to meet your CRA obligations.

What is the CRA?

The EU Cyber Resilience Act (CRA) introduces cybersecurity requirements for products with digital elements sold in the European Union, with full compliance required from December 2027. 

While FreeBSD itself is outside the regulation’s direct scope, the FreeBSD Foundation plays a defined role under the CRA, and many of the companies building on FreeBSD will need to comply.

For background on the Foundation’s CRA work, read our launch blog post: Getting ready for the Cyber Resilience Act.

The FreeBSD Foundation as an Open Source Steward

Under the CRA, the FreeBSD Foundation is classified as an open source steward, a category of organization that systematically supports open source development without placing products on the market.

Stewards have a defined but limited set of obligations which include:

• Maintaining a policy that encourages secure development and, 
• To the extent they are responsible for development and infrastructure, reporting actively exploited vulnerabilities and severe incidents to ENISA, the EU Cyber Security Agency. 

Stewards are not subject to the manufacturer penalties defined in the regulation.

[Read the FreeBSD Foundation’s cyber security policy]

Statement of the FreeBSD Core Team Regarding the EU Cyber Resilience Act

The FreeBSD Core Team recognizes the importance of the European Union Cyber Resilience Act (CRA) in promoting the security and sustainability of software used within the European market.

To provide clarity for users, contributors, commercial adopters, regulators, and other stakeholders, the FreeBSD Core Team acknowledges and endorses the FreeBSD Foundation as the primary organizational representative of the FreeBSD Project for matters relating to compliance, coordination, and engagement under the Cyber Resilience Act.

The FreeBSD Foundation has long provided legal, financial, administrative, and strategic support for the FreeBSD Project and is therefore uniquely positioned to engage with governmental authorities, industry participants, and other organizations on behalf of the broader FreeBSD ecosystem. It also has staff members on the FreeBSD Security Team, Source Manager Team, and other FreeBSD project teams and this ensures close integration between the Foundation and the Project which is necessary to provide a high level of CRA readiness.

Accordingly, the FreeBSD Core Team supports the recognition of the FreeBSD Foundation as the FreeBSD Project’s designated Open Source Software Steward for purposes of the Cyber Resilience Act and related regulatory frameworks. The Core Team will continue to collaborate closely with the Foundation, the Security Team, release engineering teams, and the wider community to ensure that FreeBSD remains a secure, sustainable, and openly developed operating system.

Nothing in this statement alters the community-governed nature of the FreeBSD Project or the established responsibilities of project contributors, maintainers, and governance bodies. Rather, this designation is intended to provide a clear point of coordination and representation in matters arising under the Cyber Resilience Act.

[Signature by a Core representative, date and Core number]

For Vendors and Manufacturers

You must comply with the CRA if you are a manufacturer or vendor placing products on the EU market. For your product you must: ensure secure design, perform risk assessments, provide security updates, handle vulnerabilities, and maintain documentation for compliance.

Non-compliance with the CRA can bring heavy fines (up to 15,000,000 EUR or 2.5% global annual turnover). 

Reporting Actively Exploited Vulnerabilities

From September 11, 2026, if you have discovered a vulnerability in your product that is subject to the CRA regulation, you must report it directly to your CSIRT and to ENISA.  If the vulnerability is in FreeBSD or its components, you must also report it to the FreeBSD Project using the process provided by the FreeBSD Security Team (see the links below for how to do both of these).

Report a vulnerability to ENISA and your CSIRT

Report a vulnerability to FreeBSD

If you develop a patch or a workaround for FreeBSD, you must share it with the FreeBSD Project who will evaluate it for adoption. You can do this using the Phabricator tool.

Submit a patch to FreeBSD

Meeting Your Secure Design Obligations

The CRA requires manufacturers to conduct due diligence on the open source components they use. A lot of information about FreeBSD’s security practices, vulnerability handling, etc., is publicly documented on https://www.freebsd.org/security

If you need more information or you are interested in obtaining a Voluntary Security Attestation from the FreeBSD Foundation, please contact us at cra@freebsdfoundation.org.

Please contact the FreeBSD Foundation for CRA-related inquiries rather than contacting the FreeBSD Security Team directly.

For other FreeBSD users and contributors

If you are not considered a manufacturer, you probably don’t have any obligations under the CRA. Please see the guides below for more information. 

Guides and Resources

• The Cyber Resilience Act – Summary of the legislative text 
• Guide to the CRA for FreeBSD community members   
• Guide to the CRA for FreeBSD business users
• 2026 FreeBSD Foundation CRA Readiness project -Github repo