CRA in practice
Building CRA-Ready Open Source Communities: The Critical Role of Community Managers
January 31, 2026
4:45 PM – 5:00 PM Add to calendar
4:45 PM – 5:00 PM Add to calendar
UA2.114 (Baudoux)
<p>The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by Community Managers, exploring how they can support compliance without assuming legal liability. </p>
<p>We’ll show how Community Managers can:
- Communicate CRA-relevant processes to contributors, downstream adopters, and vendors
- Structure documentation, governance pages, and onboarding materials for clarity and discoverability
- Protect newcomers from unnecessary compliance burden, keeping contribution welcoming and accessible
- Support maintainers, triaging non-technical questions, coordinating workflows, and preventing burnout
Facilitate cross-project collaboration, shared tooling, and evidence collection practices
- Manage vulnerability communication to maintain trust and transparency</p>
<p>The objective is for attendees to leave with practical strategies, templates, and examples that make CRA compliance manageable while keeping open source communities healthy and contributor-friendly. This session is ideal for community managers, project stewards, maintainers, and anyone interested in the human side of CRA readiness in FOSS projects. Attendees will leave with key takeaways:
- Understand CRA’s indirect impact on community management and a checklist of how tos
- Learn concrete ways to keep projects welcoming despite increased compliance expectations
- Explore templates and workflow ideas that reduce friction for contributors and maintainers alike
- See examples of cross-project coordination and documentation practices that support CRA readiness</p>
<p>This session emphasizes practical, community-driven solutions focusing on doing and not debating legal strategy making CRA compliance achievable and sustainable for FOSS communities.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>Opening remarks and housekeeping.</p>
|
| 1/31/26 |
<p>Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.</p> <p>We will outline ...
|
| 1/31/26 |
<p>EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across ...
|
| 1/31/26 |
<p><a href="https://github.com/erlang/otp">Erlang/OTP</a> is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by <a href="https://www.ericsson.com/en">Ericsson</a>, <a href="https://www.cisco.com/">Cisco</a>, <a href="https://www.whatsapp.com/">WhatsApp</a>, <a href="https://discord.com/">Discord</a>, and <a href="https://www.klarna.com/se/">Klarna</a> for mission critical ...
|
| 1/31/26 |
<p>Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.</p> <p>This talk provides a practical overview of where CRA compliance currently ...
|
| 1/31/26 |
<p>This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how ...
|
| 1/31/26 |
<p>Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.</p> <p>In this session, Georg and Rao present the findings from the VEX ...
|
