惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

K
Kaspersky official blog
Engineering at Meta
Engineering at Meta
D
DataBreaches.Net
Stack Overflow Blog
Stack Overflow Blog
Microsoft Security Blog
Microsoft Security Blog
Y
Y Combinator Blog
B
Blog RSS Feed
GbyAI
GbyAI
P
Proofpoint News Feed
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
D
Docker
阮一峰的网络日志
阮一峰的网络日志
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Recorded Future
Recorded Future
美团技术团队
The Register - Security
The Register - Security
V
Visual Studio Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
T
Tailwind CSS Blog
爱范儿
爱范儿
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
The Blog of Author Tim Ferriss
博客园 - 司徒正美
量子位
B
Blog
F
Fortinet All Blogs
Martin Fowler
Martin Fowler
博客园 - 【当耐特】
MongoDB | Blog
MongoDB | Blog
A
About on SuperTechFans
I
InfoQ
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
有赞技术团队
有赞技术团队
雷峰网
雷峰网
大猫的无限游戏
大猫的无限游戏
J
Java Code Geeks
L
LangChain Blog
Latest news
Latest news
S
SegmentFault 最新的问题
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Blog — PlanetScale
Blog — PlanetScale
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Cisco Talos Blog
Cisco Talos Blog
F
Full Disclosure
C
Cisco Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
W
WeLiveSecurity
T
Tenable Blog
T
Tor Project blog

FreeBSD Foundation

Represent FreeBSD in Your Community | FreeBSD Foundation EuroBSDCon 2026 Travel Grant Application Now Open | FreeBSD Foundation FreeBSD Graphics Port Upgraded to Linux 6.12 | FreeBSD Foundation FreeBSD AI-assisted Vulnerability Discovery Project launch | FreeBSD Foundation Recap of the April 2026 Frankfurt Area FreeBSD Hackathon – Sven Ruediger | FreeBSD Foundation Cleaning Up Critical Infrastructure in FreeBSD | FreeBSD Foundation AsiaBSDCon 2026 Trip Report – Saikeo | FreeBSD Foundation AsiaBSDCon 2026 Trip Report – Minsoo Choo | FreeBSD Foundation Call for testing: introducing the Laptop Integration Testing project | FreeBSD Foundation Build a NAS using FreeBSD on a Raspberry Pi | FreeBSD Foundation FreeBSD Foundation Q4 2025 Status Update | FreeBSD Foundation The Q4 2025 Issue of the FreeBSD Journal is Now Available! | FreeBSD Foundation Powering the Future of FreeBSD | FreeBSD Foundation 2025: Software Development and Infrastructure Support. | FreeBSD Foundation Infrastructure Modernization – commissioned by the Sovereign Tech Agency | FreeBSD Foundation FreeBSD Closes the Laptop Gap: Year One Project Update | FreeBSD Foundation 2025: A Year of Advocacy, Community, and Growth | FreeBSD Foundation
Getting ready for the Cyber Resilience Act | FreeBSD Foundation
Florine Kamdem · 2026-02-26 · via FreeBSD Foundation
February 25, 2026

Please note that the information provided in this document is for informational purposes only and does not constitute legal advice.

The FreeBSD Foundation has launched its Cyber Resilience Act (CRA) Readiness project for 2026 to prepare the Foundation, the FreeBSD Project, and the broader FreeBSD community for the European Union’s landmark cybersecurity legislation. This post provides context for why we are investing in this work now and information about what the project will cover.

The EU is regulating software security

The EU’s CRA (REGULATION (EU) 2024/2847) represents one of the most significant pieces of software security legislation in recent history. It places commercial software into a regulatory framework for security and, if products are found to be non-compliant, it specifies fines of up to 15 million euros or 2.5 % of a company’s total worldwide annual turnover, whichever is higher. 

Manufacturers are required to manage the security risks posed by their supply chain

For manufacturers the CRA mandates essential cybersecurity requirements with which they must comply during the design, development and production of their products. 

These requirements fall into two main categories, each of which has stringent enforcement:

  1. Products must be secure by default. 

Manufacturers must actively manage the cybersecurity risk across the full lifecycle of their products. They must document how they are doing this (including providing an SBOM) and make it available to the market surveillance authorities. They must exercise due diligence in their use of 3rd-party components such as open source projects. They must provide a declaration of conformity with the CRA on the basis of having carried out an accepted conformity assessment procedure.

  1. Vulnerabilities must be rapidly reported.

Once the product is on the market, manufacturers must act quickly when actively exploited vulnerabilities are discovered. Notifications must be reported on the CRA Single Reporting Platform with deadlines as follows: 24 hours for an early warning notification, and 72 hours for the main notification. Further reporting deadlines also apply within a 14-28 day window.

There is a lot more detail provided in the CRA itself, but these headlines are enough to give a clue to the sorts of activities that manufacturers will soon start doing to meet the CRA requirements.

The CRA is already law, with staged compliance deadlines

The CRA entered into force on 10 December 2024. Its essential cybersecurity requirements (including ‘secure by default’ principles) will start applying from 11 December 2027. Products placed on the market before 11 December 2027 are only subject to these requirements if they undergo substantial modification after that date. 

Reporting obligations come into force on 11 September 2026. Reporting obligations apply to all products with digital elements available in the EU market, including those already on the market before 11 December 2027.

Open source projects have limited CRA responsibilities, but face both opportunities and risks

Open source projects have limited responsibilities

Many in the open source community have been watching this coming down the tracks. The first iteration of the CRA did not mention open source at all. Thanks to feedback from many open source contributors, the CRA now contains robust carve-outs of responsibility for open source projects. 

Happily, individuals who contribute to free and open source projects are exempted from all legal responsibilities, even if they are paid to contribute on a project. 

Organizations that are classified as ‘open source stewards’ have limited responsibilities under the CRA and cannot be fined. The FreeBSD Foundation likely falls under this classification. Individuals cannot be stewards.

The risks to an open source project

Does this mean an open source project has nothing to worry about? For open source projects which are used in downstream commercial software products there are some areas where things might get rough once manufacturers start getting serious about CRA compliance.

One example is a “due diligence denial of service attack”. What happens when many manufacturers aim to carry out a due diligence process on components in their SBOM? A project with a large downstream user base might receive a deluge of requests for information. 

Or, how about when an exploited vulnerability is discovered in your open source project? A manufacturer would have to report it within 24h and your project might receive requests for information, and patch submissions (or demands for fixes!) that come with a lot of pressure attached. Does your project have the processes and staffing for this?

Another, more insidious, possibility is that any open source project that is not prepared for the CRA may simply get swapped out or passed over by manufacturers who see a more-compliant option. This could contribute to putting a project on a downward trajectory.  If you are thinking “my project is too hard to swap out”, consider this –  an unprepared project that cannot be easily swapped out might find that the downstream start making SBOMs just for their fork (this could create all sorts of complexities and upstream queries). 

The opportunities for open source projects

It is not all doom and gloom though. The CRA has the potential to change the power dynamics of the open source landscape. Projects that are proactive in preparing for the CRA will be better positioned to forge new relationships with their downstream users. 

When manufacturers need SBOMs, documentation on security processes, and swift vulnerability management responses to avoid eye-watering fines, they may be more incentivized  to support their upstream open source projects. 

Projects could secure funding agreements, gain dedicated security staffing support, or establish formal partnerships with manufacturers.

Open source projects all over the world are working together to figure this out. After all, it’s what we do. 

The FreeBSD Foundation is committed to helping FreeBSD navigate this important change successfully.

The FreeBSD Foundation’s CRA Readiness project

For FreeBSD, getting prepared now means we can take a proactive approach to CRA readiness and leverage as much benefit as possible while reducing potential harms. 

The high-level project goals are: make sure the Foundation fulfills its legal obligations as an open source steward, protect the Project from disruption as manufacturers work to meet CRA requirements, and ensure that our contributors understand they are not personally exposed to legal liability under this legislation.

What we are working on

The project is organized into six workstreams running through 2026:

Security and vulnerability handling 
This is the core of the effort. Foundation staff will work closely with FreeBSD’s Core team, Security team, and Ports Security team, and downstream vendors to develop a shared understanding of CRA responsibilities and to examine how we collectively respond to CRA-related scenarios. This is a sustained, 12-month effort that takes a holistic view of FreeBSD’s security posture, and will result in updated policies, public positions, and documentation where needed.

SBOM toolchain 
This addresses one of the CRA’s most concrete requirements: Software Bills of Materials. Rather than leaving manufacturers to independently generate their own (potentially inaccurate) SBOMs for FreeBSD-based products, we are building a single, authoritative, open-source SBOM toolchain. This work builds on development started in 2025 under our Infrastructure Modernization project. Over the next four months, we will be adding SBOM information files, identifying and filling licensing gaps, and collaborating with upstream projects to improve SBOM metadata. A shared, accurate SBOM solution is better for everyone.

Public documentation 
This will give manufacturers, maintainers, and contributors clear, FreeBSD-specific information about CRA requirements, including emerging processes and key contacts. The content will evolve as our understanding deepens across the other workstreams.

Community legislative engagement 
This will open up a simple communication channel (most likely a mailing list) so that the FreeBSD community can participate in EU policy development. Bodies like CEN, CENELEC, and ETSI regularly seek input from the open source world, and we want to make sure FreeBSD voices are part of that conversation.

A public-facing project repository 
This will serve as the running record of everything we do. We are committed to transparency: detailed updates, outputs, and decision-making will all be documented here as the project progresses.

Communications 
We will keep the broader community informed through blogs, social media, and other channels as we hit key milestones.A note on scope
The CRA is new legislation, and real-world guidance on implementation continues to evolve. We have designed this project to adapt as our understanding develops, and though the workstreams above reflect our best current thinking, you should expect the details to shift over time. We will keep you informed as they do.

Learn more