CRA Compliance Guide: Getting Ready to Embed the Cyber Resilience Act in Your Open Source Practice

As the European Union faces growing exposure to cyber-attack risks, the European Commission adopted the Cyber Resilience Act (CRA) in December 2024. This regulation aims to strengthen the cybersecurity -​- or cyber-resilience -​- of digital products placed on the European market, by embedding digital security at every stage of the product life cycle.

To support this regulatory transition, CNLL and inno³ have been working since 2024 on a CRA implementation guide. The ambition of the document is twofold: to make the stakes of the CRA accessible, and to provide concrete guidelines that help organisations anticipate compliance while taking the specific characteristics of Open Source models into account. The initial version of the guide, released in December 2024, was updated in December 2025.

This CRA implementation guide is intended to support French digital actors who produce or integrate free and open source software in their products and/or services. It distils the impact of the CRA and operationalises the main expectations of the European legislator.

Without aiming for exhaustiveness, its objective is to prepare the actors of the sector, so that they can identify reasonable approaches that may be implemented within their organisation, and adjust their Open Source management processes as needed in order to integrate the specific and complementary cybersecurity expectations (in particular regarding the production of Software Bills of Materials and vulnerability management).

It is meant to be widely shared throughout the professional Open Source ecosystem, in particular to support exchanges with the European legislator. It is designed to evolve over time, both to track regulatory developments and to address complementary issues (large users, public administrations, etc.). The second version incorporates significant horizon-scanning work, combining theoretical and practical doctrine around the regulation, as well as the elements and clarifications shared by the European Commission. It is also fed by exchanges within the mission-cra-cnll@framagroupes.org mailing list.

Furthermore, a survey conducted by inno³ and CNLL among companies in the Open Source ecosystem made it possible to assess their readiness for the CRA, as well as their concrete expectations of the regulation. The lessons from this survey directly contributed to enriching the guide, in particular by providing answers to several questions frequently encountered in the field.

The release of version 2.0 took place at Open Source Experience 2025.

Next steps: real-world cases in 2026

Work around the guide will continue in 2026, focusing on the study of several real-world cases involving specific Open Source actors. The objective will be to formalise compliance models tailored to the various realities and use cases, in order to offer even more operational tools.

For those interested, the horizon-scanning and analysis effort continues within the CNLL working group dedicated to the Cyber Resilience Act. Organisations wishing to actively contribute to developing these models are invited to reach out to CNLL or inno³.

The guide and the participation arrangements are available on inno3.fr and cnll.fr.