Build CRA-Compliant Cybersecurity Processes | ARC Advisory Group
The Apache Software Foundation, Blender Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, Rust Foundation, and Eclipse Foundation jointly announced their intention to collaborate on establishment of common specifications for secure software development based on existing open-source best practices. The Open Regulatory Compliance Working Group within the Eclipse Foundation was formed to address the multifaceted challenges of cybersecurity in the open source ecosystem and to demonstrate the sponsoring organizations’ commitment to cooperation with and implementation of the European Union’s Cyber Resilience Act (CRA).
CRA introduces rules on how software should be developed, tested, audited, and supported to ensure more secure software. While open-source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation. Recognition of the common legislative challenge to both the open-source community and broader software industry is central to formation of the working group due to the urgent need for cybersecurity process standards.
For years, open-source foundations and communities have created and maintained de facto standards for secure software development processes. Using these and associated best practices as the starting point, the aim is to accelerate development of cohesive cybersecurity processes required for regulatory compliance while offering a neutral environment for hosting technical discussions with the open-source community at large. Other code-hosting open-source foundations, SMEs, industry players, and researchers are invited to join.
The new working group will be hosted at the Brussels-based Eclipse Foundation AISBL under the auspices of the Eclipse Foundation Specification Process and the new working group. Working group governance will follow the Eclipse Foundation’s usual member-led model but will be augmented by explicit representation from the open-source community to ensure diversity and balance in decision-making. Deliverables will consist of one or more process specifications made available under a liberal specification copyright license and royalty-free patent license.
The reasons for this collaboration extend beyond compliance. In an era where software, particularly open-source software, plays an increasingly vital role in modern society, the need for reliability, safety, and security has steadily increased. New regulations, exemplified by the impending CRA, underscore the urgency for secure-by-design and robust supply chain security standards well before the new regulation comes into force in 2027.
Further information on the working group’s objectives and activities can be found here.
Further information on ARC’s coverage of Industrial Cybersecurity is available here.