OW2con'26 CRA Open Source conference

CRA & Open Source at OW2con’26: workshop feedback, guide v3 and the LibreOffice case

On 2 June 2026, the inno³ team spoke alongside Stéphane Fermigier (CNLL) at the 2026 edition of OW2con’26, on the theme “Cyber Resilience Act (CRA) and impact on open source actors”. It was an opportunity to present the latest developments of the CRA & Open Source guide produced by inno³ and the CNLL, as well as a concrete use case carried out with The Document Foundation around LibreOffice. Beyond the presentation, the discussions surfaced points of attention that outline the work ahead for the whole ecosystem.

The CRA and its guide: where do we stand?

The first part of the session looked back at developments around the Cyber Resilience Act and the guide that accompanies it. As a reminder, the CRA is a European regulation intended to strengthen the cybersecurity and resilience of digital products placed on the EU market. The first obligations will apply as early as September 2026, with the notification of actively exploited vulnerabilities and serious incidents. All the regulation’s requirements will then apply from 11 December 2027: declaration of conformity, CE marking and the security requirements of Annex I.

On this occasion, inno³ and the CNLL presented an improved version of their guide. It incorporates the guidance published by the European Commission, which confirms several interpretations that matter to Open Source actors: a commercial activity implies monetisation, stewards (managers of free software) are not treated as manufacturers, and contributors remain outside the scope. This guidance also clarifies the remote processing of data, substantial modifications, support periods and the notion of “known” vulnerabilities.

Some questions nevertheless remain open – on the non-rivalry of free software, SME use cases, or the level of detail expected for SBOMs. It is precisely to assert the specificities of the Open Source ecosystem that inno³ and the CNLL contributed to the European consultation on this guide.

LibreOffice: a use case that will set a precedent

The conference was also an opportunity to present the work carried out for The Document Foundation (TDF), which will lead to complementary tools integrated into the next version of the guide. inno³ is indeed supporting the foundation in setting up its declaration of conformity and its CE marking.

Qualifying LibreOffice as a “product with digital elements placed on the market”, together with The Document Foundation’s wish to position itself as a manufacturer (and/or steward), requires the foundation to comply with the new CRA obligations. The support was structured around several workshops – qualification under Article 13, requirements of Article 14 and of Annex I, documentation of Annex II – leading to a gap analysis and then an assessment report.

An important point: the methodology and deliverables from this support are designed to be shared publicly and reused by other Open Source organisations. This is the whole point of the approach: turning a concrete case into a methodological commons for the benefit of the entire ecosystem.

What the discussions revealed

The presentation was followed by an open discussion with participants. The round of introductions first highlighted the extreme heterogeneity of the profiles concerned by the CRA – large industrial players, vendors, public administrations, foundations – and a very variable level of understanding of the regulation across communities. Several salient points are worth noting.

Commercial intent, the cornerstone of scope. The notion of commercial intent took up much of the discussion: it is what determines who is considered a “manufacturer” within the meaning of the regulation, in particular when a service is offered. The determining factor is not the fact of charging, but its purpose: does making the software available aim to generate revenue, or only to offset the legitimate costs of development and maintenance?

The economic impact on compliance. The question of funding held a central place. The new requirements (vulnerability monitoring, maintenance, patch management) represent a significant investment in time and skills, and risk increasing the pressure on projects that are often carried by limited resources. Two guiding principles emerged: sustainably funding the maintenance of software used in commercial products is becoming the norm; and companies that reuse these components share responsibility in this balance. In this respect, the CRA can act as a genuine lever to encourage organisations to contribute to the Open Source projects they depend on.

SBOMs: granularity, typology and matching difficulties. The Software Bill of Materials is taking on growing importance, all the more so as the regulation requires its provision at the request of authorities. The discussions revealed several concrete difficulties: a need for greater granularity and better matching between SBOMs and vulnerability descriptions (CVE); the existence of several types of SBOM depending on the nature of the objects described, with library SBOMs calling for a specific approach; and the still-limited coverage of configuration files and deployment environments, a persistent blind spot in risk analysis.

Reducing the attack surface: a logic already at work. An underlying trend was confirmed: reducing the number of features and dependencies as a security lever, all the more relevant at a time when AI is accelerating the discovery of vulnerabilities. This is already good practice for many Open Source projects, through modularisation and the design of standalone modules or plugins (addons).

A still-shifting regulation, a community to bring on board

A final lesson, and not the least: the CRA is not yet set in stone, and community involvement remains possible. Several voices stressed the need to produce documents reflecting a community consensus, in order to weigh on the concrete arrangements for implementation.

This is exactly the direction in which inno³ and the CNLL are placing their work: a living guide, fed by real cases such as LibreOffice, and an open methodology so that compliance remains accessible and strengthens small structures as well as community projects. What comes next will play out in the coming months, as the first obligations approach – and we fully intend to keep contributing to it.

For those interested, the monitoring and analysis effort continues within the CNLL working group dedicated to the Cyber Resilience Act. Organisations wishing to contribute actively to developing these models are invited to get in touch with the CNLL or inno³, or directly at mission-cra-cnll@framagroupes.org.

The guide and the participation arrangements are available on the inno3.fr and cnll.fr websites.