Hi everyone, As promised we keep you updated on new developments on the Cyber-Resilience Act in the EU, a legislation that will affect everyone providing products based on digital elements on the European market in the coming years (not just open source). The text that was adopted at first reading by the European Parliament on March 12 has been published, you can find it here: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html#title2 It is based on the same text that the Trilogue negotiations agreed to in November 2023, which we previously communicated to you when it was published in December, but is not exactly the same. You will find that the recitals and articles have been renumbered, but overall the text did not change much. One addition that is significant from the perspective of open source appears in article 2(48) when they define what they mean by open source: “Free and open-source software is understood as software the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable.” You can see that in addition to requiring a license that respects base open source freedoms, they added the requirement that the source code be "openly shared", a requirement that is not encoded in open source licenses (only recipients of binary form must be able to request the corresponding source code). We have evidence that this was carefully considered and added on purpose, in one step that reinforces the permissionless innovation nature of open source. The process is now moving to defining the "harmonized standards", which translate the requirements detailed in the regulation into detailed technical specifications. Those are a critical element, as products which are in conformity with those harmonized standards will be presumed in conformity with the CRA. The Commission published a few days ago the draft of the upcoming call for European Standards Organization (ESOs) to produce such standards: https://ec.europa.eu/docsroom/documents/58974 Given that those standards organizations do not have a stellar record for transparency and engaging with the open source community, it was a relief to see that in this draft the Commission requires that "particular account should be given to the needs of the free and open source software community" (recital 10), that the inclusion of the open source community is documented in the ESOs work programmes (article 2), and that the reporting on the work includes a clear description of how they facilitated representation and participation of the relevant stakeholders (specifically including the open source community, article 3). The first standards are expected for August, 2026. The OpenInfra Foundation staff continues to engage with the relevant stakeholders to follow progress and engage as necessary. We'll continue to keep you updated on new developments. Regards, -- Thierry Carrez General Manager, OpenInfra Foundation