By The European Union’s Cyber Resilience Act (CRA) is a game-changer for software developers and organizations that rely on digital products. As David A. Wheeler, Director of Open Source Supply Chain Security at Open Source Security Foundation (OpenSSF), explained in a recent interview, the CRA is a regulation that applies to products with digital elements, including software and hardware, and has been revised to better accommodate open source software.
The CRA is not just another regulation; it’s a wake-up call for the industry. As Wheeler noted, “The CRA applies to something called products with digital elements, which includes software. It’s a big change—a regulation that applies so broadly, not just to medical devices or other specialized areas like airplanes, but to software in general.”
📹 Going on record for 2026? We're recording the TFiR Prediction Series through mid-February. If you have a bold take on where AI Infrastructure, Cloud Native, or Enterprise IT is heading—we want to hear it. [Reserve your slot
The regulation mandates risk identification, vulnerability management, and documentation, making it a significant shift from the status quo. “There are a number of requirements, but really the first gate is what’s called risk identification,” Wheeler said. “If you’re selling a product and it can’t possibly do certain things or cause certain kinds of harm, you don’t need to worry about it. But as soon as it can pose those kinds of risks, there are steps you must take to address and manage them. Then there’s a set of specific requirements that apply.”
One of the most significant aspects of the CRA is its impact on open source software. Initially, the regulation was met with criticism from the open source community, as it was seen as placing undue burden on open source developers. However, revisions have been made to better accommodate open source software. As Wheeler explained, “If you are an organization that systemically supports open source software, then you are considered an open source software steward. That’s a whole new construct the older CRA didn’t have, because it didn’t adequately take open source software into account .”
The CRA’s enforcement will begin in 2026, with the full set of requirements being enforced in December 2027. Penalties for non-compliance can be steep, reaching up to 15 million euros or 15% of annual revenue.
To help software developers and managers understand and comply with the CRA, OpenSSF has released a free, self-paced course. As Wheeler emphasized, “We want to make sure that people can learn now what it involves, determine whether it applies to them, and start getting ready so they’ll be prepared in time.”
The CRA is a significant development in the world of cybersecurity, and it’s essential for organizations to take it seriously. As Wheeler noted, “This is a huge change, so all of those folks are going to be affected. That’s why we thought it was very important to make this course freely available—to help people truly understand it so they can go and actually comply.”
Guest: David A. Wheeler
Organization: OpenSSF
