In Progress

Project Overview

The FreeBSD Foundation’s Cyber Resilience Act Readiness Project, approved in January 2026, prepares the FreeBSD ecosystem for the EU Cyber Resilience Act, a new regulation establishing cybersecurity requirements for products sold in the European Union. Our goal is to ensure the Foundation meets its legal obligations as an open source steward, that the FreeBSD Project is protected from disruption as manufacturers adapt to the CRA, and that contributors understand they are not personally liable under the regulation.

For background on the Foundation’s CRA work, read our launch blog post: Getting ready for the Cyber Resilience Act.

Project Sponsor: Deb Goodkin
Project Manager: Alice Sowerby
Approved: January 1, 2026
Duration: January 2026 – December 2026

A public GitHub repository documents project progress, work output, and the Foundation’s decision-making throughout 2026.

Guide to the CRA for FreeBSD community members

Guide to the CRA for FreeBSD business users

Key Outcomes

The project is organized around eight outcomes across three areas:

Foundation readiness
- Compliance as an open source steward.
- Financial and material support from manufacturers.
Project readiness
- Clear understanding of potential CRA-related scenarios.
- Updated processes and staffing to respond to those scenarios.
- A functional SBOM (Software Bill of Materials) toolchain.
Community readiness
- A documented guide to the CRA and how it affects the FreeBSD Project and contributors.
- A mechanism for FreeBSD community engagement in EU policymaking.
- A public record of the Foundation’s CRA readiness work.

Workstreams

The project runs across these workstreams through 2026.

Security and Vulnerability Handling
- Foundation staff collaborate with FreeBSD Project stakeholders (Core, Secteam, Ports Secteam) and downstream vendors to develop a shared understanding of CRA responsibilities, examine potential scenarios, and determine appropriate collaborative responses. This workstream also updates policies, public positions, and documentation as needed and considers emerging good practice from the wider open source ecosystem.
SBOM Toolchain
- The CRA requires manufacturers to provide a Software Bill of Materials for covered products. By developing a single, shared, open source SBOM toolchain for FreeBSD, downstream manufacturers get authoritative SBOM data they can rely on, and the Project maintains control over how its components are documented. This work, started in 2025 under the Infrastructure Modernization project, is being extended through 2026.
Public Documentation
- The Foundation will publicly document its policy positions on the CRA and publish FreeBSD-specific information for maintainers and manufacturers, including emerging processes and contact information.
Community Legislative Engagement
- The Foundation will establish a communication channel — likely a mailing list — to share third-party requests for legislative input with the community. EU bodies, standardization organizations (CEN, CENELEC, ETSI), and open source collectives regularly seek input on policy development, and several requests are typically open at any given time.

Communications

Throughout the year the Foundation will share milestones, important information, and progress summaries through blog posts, social media, and other channels.

A note on scope: The CRA is new legislation, and real-world implementation and best practices are still evolving. The scope of this project will adapt over time as our understanding develops.

Resources

From the FreeBSD Foundation:

Background and reference material:

Open source community resources:

Get in Touch

Questions about the FreeBSD Foundation’s CRA work? Email cra@freebsdfoundation.org.

Please use this address for CRA-related questions rather than contacting the FreeBSD Security Team directly.

We also invite you to check out our monthly updates.