This Project's purpose is to explore the topic of, and eventually publish guidance regarding, voluntary security attestations for open source projects per Article 25 of the Cyber Resilience Act.
These attestations can help support the maintenance and security of open source projects in exchange for lowering the compliance burdens of manufacturers which use those projects in commercial products on the European market.
Our current goal is to create a mature proposal by Q2 of 2026.
**Security attestation of free and open-source software**
In order to facilitate the due diligence obligation set out in Article 13(5),
in particular as regards manufacturers that integrate free and open-source
software components in their products with digital elements, the Commission is
empowered to adopt delegated acts in accordance with Article 61 to supplement
this Regulation by establishing voluntary security attestation programmes
allowing the developers or users of products with digital elements qualifying
as free and open-source software as well as other third parties to assess the
conformity of such products with all or certain essential cybersecurity
requirements or other obligations laid down in this Regulation.
- Project Lead: Æva Black
- Meeting Times: Every Other Tuesday @ 1530 CET / 1430 UTC
- Mailing List: we're using the ORC mailing list for now
- Matrix Room: https://matrix.to/#/#oss-attestations:fosdem.org
To support this Project, we will have (at least) two in-person workshops:
- During Eclipse's Code & Compliance event, on October 22 & 23
- During Europe Open Source Week, either before or during FOSDEM (depending on pending proposals)
Participation in the CRA Attestation Project is not limited to Eclipse Foundation members. Anyone is welcome to join the meetings, mailing list, Matrix room, or the Eclipse ORC Slack instance.
Maintainers of open source projects which are, could be, or are contemplating becoming, recognized as Stewards are encouraged to participate.
Discussions and proposals, both during meetings and on the mailing list, should center projects that have a potential commercial use, and should reflect the broad range of legal entities that support open source projects.
Anyone who contributes to this projects output, whether via git contributions, during meetings, or otherwise, may opt to be credited herein by opening a merge request to update this file, or by emailing the Project Lead with a request to do the same.
Contributors:
- Æva Black
- ...