CRA and Open Source: an uneven maturity
With the Cyber Resilience Act (CRA) coming into force, CNLL (Syntec Numérique) and inno³ ran a survey of the Open Source community and ecosystem businesses. The aim was to map perceptions of the issues, the level of preparedness, and the concrete expectations vis-à-vis the upcoming European regulation (so as to know how to respond to it in practical terms).
The results of this consultation (70 respondents, of whom only half completed the survey) confirm two strategic observations: an uneven maturity on the topic, and a marked concern about the impact of the CRA on Open Source actors and projects. These data served as the foundation for the second version of the CNLL Guide on the CRA, produced by inno³.
The uneven preparedness of Open Source ecosystem businesses
Our starting hypothesis was that Open Source actors, generally more attentive to cybersecurity issues, would quickly take this regulation fully on board. We pointed to the continued involvement of Open Source communities in the standardisation of SPDX and CycloneDX formats, or to the strong mobilisation during the drafting of the regulation. That said, we must also acknowledge that the majority of Open Source economic actors are small or medium-sized enterprises, with generally limited resources (compared to large proprietary vendors).
Self-reported maturity, on a scale of 1 to 10, reveals a wide spread:
- 41% of participants fall in the least prepared bracket (levels 1 to 4).
- Only 20% report a high or very high maturity (levels 8 to 10).
This diagnosis points to a clear need for support. Without a major effort in education and structuring, the risk is to see a two-speed application of the CRA emerge, leaving SMEs and specialised Open Source actors potentially overwhelmed by the complexity of the requirements. Preparation must start now, in order to identify roles and adapt internal processes.
Managing the liability of Open Source products: a source of uncertainty
Open-ended questions about concerns and expectations highlight a dominant concern: managing the liability of Open Source products (OSS).
Actors are mainly worried about:
- The cost of compliance: an administrative and financial burden seen as disproportionate for small projects and small organisations.
- The ambiguity around commerciality: lingering uncertainty about the distinction between the volunteer Open Source contributor and the commercial supplier of Open Source software, making the application of obligations uncertain.
In response, expectations focus on the need for an operational framework: clarification of the CRA’s “grey areas”, supply of security document templates (in particular Vulnerability Disclosure Policies), and application examples specific to the various Open Source business models.
What can we conclude?
The survey shows that adopting the CRA will not only be a matter of technical compliance, but a real organisational and legal transformation. The CNLL/inno³ Guide answers some questions, but will need to be supplemented by a framework of ready-to-use tools that translate these obligations into concrete actions.
The new version (v2) of the CNLL Guide, produced by inno³ and shared at OSXP 2025, is one of the concrete actions responding to this finding. This new edition incorporates the comments received on the first version, as well as the latest publications and clarifications issued by the European Commission. Some of the expectations raised in the survey are also addressed, while others may be the subject of dedicated future work.
Next steps:
- Publication of v2.0 of the guide: the document will be presented and made available next week at the OSXP 2025 event. The guide is produced collaboratively and will be available on the public repository: https://code.inno3.eu/ouvert/guide-cra.
- Work on real-world cases (2026): following this publication, the CNLL/inno³ working group will continue, focusing on the study of several real-world cases during 2026. The aim will be to formalise compliance models tailored to the diverse realities of Open Source.
➡️ For those interested: the horizon-scanning and analysis effort continues within the CNLL working group dedicated to this regulation. Organisations wishing to actively contribute to developing these models can reach out to CNLL.
We invite you to consult our website https://inno3.fr and CNLL’s https://cnll.fr for the publication of the document and the participation arrangements for the working group.
