As the deadline for the application of the CRA draws closer, thanks to the efforts of the OSI and other organisations, for the first time, the Open Source community will have the opportunity to directly participate in the standardisation process, shaping the standards that will apply to many crucial types of software.
Over the last three years, the OSI has been working hard to reduce the burden of the Cyber Resilience Act on Open Source communities. At the heart of that effort is our work on the standards for the CRA. The CRA’s standards are split up into two parts: horizontal standards (general principles applicable to all products), and vertical standards (specific additional rules for higher-risk product types).
For most products, following the horizontal standards will be e…
As the deadline for the application of the CRA draws closer, thanks to the efforts of the OSI and other organisations, for the first time, the Open Source community will have the opportunity to directly participate in the standardisation process, shaping the standards that will apply to many crucial types of software.
Over the last three years, the OSI has been working hard to reduce the burden of the Cyber Resilience Act on Open Source communities. At the heart of that effort is our work on the standards for the CRA. The CRA’s standards are split up into two parts: horizontal standards (general principles applicable to all products), and vertical standards (specific additional rules for higher-risk product types).
For most products, following the horizontal standards will be enough, but for products that pose a higher risk, the CRA requires manufacturers to choose between highly burdensome comprehensive compliance tests, or following **specialised vertical standards, **which are less burdensome and provide presumption of compliance with the law.
While these standards will only apply to manufacturers (companies or individuals who are selling their Open Source software, or support for that software, with the intent of making a profit), they risk having unintended upstream impact on Open Source developers. So, while the process of standards-making is far from perfect, and definitely poorly suited to the Open Source community, we have been working to involve the Open Source community as much as possible.
Firstly, by finding participants from the Open Source and cybersecurity community to lead and participate in the standardisation work, and getting them into standardisation organisations, and secondly by pushing for open consultations and working methods to ensure voices from Open Source communities are heard.
Today, we are happy to announce the beginning of an Open consultation on many of the vertical standards, covering the following domains:
- Password Managers
- Antivirus
- VPNs
- Network Management Systems
- Boot Managers
- Public Key Infrastructure
- Virtual Network Interfaces
- Operating Systems
- Routers modems and switches
- Hypervisors and container runtimes
Your participation will help ensure these standards are made with the Open Source community in mind! You can find instructions on how to access the standards and submit comments here!
If you are interested in learning more, please check this video recording: From Closed Rooms to Open Dialogue: How to Participate in CRA Vertical Standards | CRA Mondays