Pathways to Cybersecurity: Best Practices in Open Source

The European Union’s Cyber Resilience Act (CRA) presents a watershed moment for the open source ecosystem, imposing rigorous cybersecurity requirements on products with digital elements (PDEs) commercialized in the EU. While the regulation will not fully apply until December 2027, with certain provisions taking effect earlier, the stakes are enormous—penalties reaching €15 million or 2.5% of global annual turnover for non-compliance.

The regulation’s impact extends beyond documentation and vulnerability reporting. It fundamentally alters the relationship between upstream open source projects and downstream commercial adopters, demanding greater collaboration for sustainable security maintenance. Neither manufacturers nor stewards can meet CRA requirements in isolation—manufacturers must conduct due diligence when integrating open source components, while stewards must implement and document cybersecurity policies that facilitate secure development. The Linux Foundation’s analysis of three flagship projects—Civil Infrastructure Platform (CIP), Yocto Project, and Zephyr Project—reveals both the readiness and challenges facing open source software stewards under the new regulatory framework. The CRA introduces a novel distinction between commercial manufacturers who bear primary responsibility for product compliance, and open source software stewards who develop and maintain open source software without monetization. This acknowledges the reality that open source components often constitute up to 96% of modern software while respecting the fundamental openness of the development model.