How the EU’s Cyber Act Burdens Lone Open Source Developers

The European Union’s upcoming Cyber Resilience Act (CRA) goes into effect in  October 2026, with the remainder of the requirements going into effect in December 2027, and introduces significant cybersecurity compliance requirements for software vendors, including those who rely heavily on open source components. At the Open Source Summit Europe, Christopher "CRob" Robinson of the Open Source Security Foundation highlighted concerns about how these regulations could impact open source maintainers. Many open source projects begin as personal solutions to shared problems and grow in popularity, often ending up embedded in critical systems across industries like automotive and energy. Despite this widespread use—Robinson noted up to 97% of commercial software contains open source—these projects are frequently maintained by individuals or small teams with limited resources.

Developers often have no visibility into how their code is used, yet they’re increasingly burdened by legal and compliance demands from downstream users, such as requests for Software Bills of Materials (SBOMs) and conformity assessments. The CRA raises the stakes, with potential penalties in the billions for noncompliance, putting immense pressure on the open source ecosystem.

Learn more from The New Stack about Open Source Security:

Open Source Propels the Fall of Security by Obscurity

There Is Just One Way To Do Open Source Security: Together

Join our community of newsletter subscribers to stay on top of the news and at the top of your game.

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.