Skip to main content
Back to Catalogue

EU Cyber Resilience Act (CRA) Compliance

Comprehensive CRA compliance assessment and implementation support for open source projects with digital components

Sponsor and Ecosystem Impact

The Cyber Resilience Act introduces mandatory cybersecurity requirements for digital products entering the EU market beginning in December 2027, and preparing now positions your project as a secure, trusted component in global supply chains.

Need this service?
Improve this Playbook

Cyber Resilience Act (CRA) Pracitioner Playbook

A playbook for maintainers and pracitioners, in addition to their own resources.

Important Note: due to the obvious risk associated with this topic, the pracitioner delivering this service would be required to be validated by a CRA authorithy, or related foundation.

Process Milestones

  • Kick off meeting: Maintainer meets with OSS Wishlist admin and pracitioner (whether sponsor employee or verified pracitioner) to align on goals and timeline.
  • Milestones finalized
  • Milestone completed
  • Wrap up meeting: Maintainer meets with OSS Wishlist maintainer and pracitioner
  • Attestation of compliance (TBD method)
  • Survey (maintainer and pracitioner)

Resources

EU Cyber Resilience Act (CRA)

OpenSSF – Security Best Practices & Tooling

Vulnerability Disclosure & Handling

Supply Chain Transparency

Repository Security Hygiene

CRA Context for Open Source

EU Cyber Resilience Act (CRA) – Open Source Readiness Rubric

Purpose:
Assess whether an open source project has reached a security and documentation state that enables downstream compliance with the EU Cyber Resilience Act (CRA).

Important framing:
This rubric evaluates enablement, not legal responsibility.
Passing this rubric supports downstream manufacturers’ CRA obligations.

Audience: Peer reviewers

Scoring Model:
Each criterion is scored independently.
Overall result is determined by the lowest scoring critical criterion.

  • 0 = Not present
  • 1 = Present but insufficient
  • 2 = Present and sufficient (meets CRA enablement needs)

A. Vulnerability Disclosure & Response

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
A1. Public Disclosure ProcessNo disclosure guidanceInformal or unclearClear, documented process (e.g. SECURITY.md)0–2
A2. Private Reporting ChannelNo private channelExists but unreliableClear, monitored reporting path0–2
A3. Vulnerability Handling PracticeNo evidence of handlingInconsistent responseDemonstrated acknowledgement and remediation0–2

B. Maintainer Access & Identity Security

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
B1. Maintainer Account ProtectionNo 2FA enforcementPartial or voluntary2FA enforced for maintainers0–2
B2. Administrative Access ControlUnrestricted admin accessExcessive adminsLimited, documented admin access0–2
B3. Access Revocation CapabilityNo clear processInformal/manualClear ability to revoke access promptly0–2

C. Dependency & Build Transparency

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
C1. Dependency DeclarationDependencies unclearPartial listingDependencies declared and discoverable0–2
C2. Build Input VisibilityBuild opaquePartially documentedBuild inputs documented at high level0–2
C3. Artifact IntegrityUndocumented binariesMixed practicesNo undocumented binaries in releases0–2

D. Release Traceability

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
D1. Versioning / TaggingNo versioningInconsistent taggingReleases are versioned or tagged0–2
D2. Change TraceabilityNo traceabilityPartial traceabilityCommits traceable to releases0–2
D3. Security Fix IdentificationFixes indistinguishableInconsistent signalingSecurity-relevant fixes identifiable0–2

E. Secure Development Practices

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
E1. Branch ProtectionsNonePartialReviews/checks enforced0–2
E2. Automated Security SignalsNoneInconsistentDependency or vuln scanning enabled0–2
E3. Secret ManagementSecrets in repoRisky practicesSecrets protected and managed0–2

F. Downstream CRA Enablement

Criterion0 – Not Present1 – Insufficient2 – SufficientScore
F1. Security Context DocumentationNo guidanceMinimal notesClear security assumptions & limits0–2
F2. Regulatory Awareness StatementNoneVague mentionExplicit support for downstream CRA compliance (no liability claim)0–2

Overall CRA Readiness Result

Passing Condition:

  • All criteria score 2, or
  • At most two criteria score 1, with no 0s

Results:

  • Pass – Project enables downstream CRA compliance
  • Conditional – Gaps require remediation before regulated use
  • Fail – Project state blocks CRA-regulated adoption

Reviewer Notes

  • Blocking gaps:
  • Sponsor-investable remediation areas:
  • Recommended priority actions:

: