Contributing to the European Commission’s upcoming CRA guidance

The European Commission has published a first version of its practical guidance on the application of the Cyber Resilience Act and launched a consultation to gather feedback from the field. Inno³ and CNLL joined forces to submit a detailed contribution drawing on their joint work and the publication of the CRA & Open Source Guide.

On 3 March 2026, the European Commission published draft guidance on the application of the Cyber Resilience Act, with a section dedicated to free and open source software (section 3 of the document opened for review). In a co-construction approach (as already practised during the consultation on the structuring of the Open Source ecosystem), the Commission invited field actors to share their feedback in order to refine this first version.

Inno³ and CNLL contribution, building on the CRA & Open Source Guide

Together with CNLL, we submitted a joint contribution drawing on the experience that led to the publication of the Cyber Resilience Act and Open Source Guide (v2.0 published in December 2025 and on cnll.fr). Building also on the compliance work carried out through the Hermine-FOSS project and on our daily exchanges with open source projects and vendors, we wanted to provide detailed feedback.

A few of the points raised:

• The need to clarify the “dual-track” model (community vs. commercial editions) for open source vendors.
• The importance of transitive SBOMs (not just first-level dependencies) to deliver genuine visibility on the software supply chain -​- and to ensure that the CRA does not represent a step backwards.
• The need to clarify the status of forges that exercise de facto control over development workflows without being formally recognised as “stewards”.
• The contractual cascade challenge: how CRA obligations will flow back to community projects that are not directly within scope.
• The natural fit between Module A (self-assessment) and the intrinsic transparency of open source.
• The lack of tooling for public administrations to effectively integrate CRA requirements into their procurement (Article 5§2).

This feedback is part of a long-term effort to ensure that compliance remains accessible and that it strengthens -​- rather than weakens -​- small organisations and community projects. To date, more than 85 responses have been submitted on the consultation site. It is still possible to take part until 13 April 2026 on the consultation platform. We encourage you to make your voice heard.