Deutsche Bahn, with its 230,000 employees and hundreds of subsidiaries, is far from an average organization. Yet it faces the same challenges under the CRA as many others. In this session, we will show how we connected the concrete requirements of CRA compliance with our broader effort to bring transparency to our software supply chains. This forms the basis for security and license compliance processes, as well as for proactively shaping the ecosystems we depend on.
We will outline our strategy for addressing the expectations tied to the different roles we take on -- customer, manufacturer, and indirectly even steward -- from both organizational and technical angles. Given the diversity and scale of Deutsche Bahn, we rely on modular FOSS tools that offer the flexibility to adapt to varying stakeholder needs and evolving regulation. This flexibility is a core element of our approach. Join this session to learn how we align strategy and technology to make this work.
EV charging stations expose a uniquely difficult CRA landscape: A single physical device can be accessed through very different user paths: ISO 15118 (Plug&Charge), RFID cards, mobile apps, credit-card terminals, and OEM-backends. Between the end user and the actual product manufacturer sit multiple intermediaries (CSMS, OEM cloud, roaming hubs, payment processors), each with partial control over configuration, telemetry, and security posture. How to deliver all the CRA obligations across this complex eco system? At the same time a typical Charging Station Operator (CPO) has to manage over 300 different manufactures, models, firmware images and cyber security might differ from monitored private charging stations up to high-power public charging stations.
Rather on relying on "out-of-band" CRA management, a better approach might be to integrate all CRA cyber security obligations and especially the vulnerability management deeply into the commonly used management protocols like the Open Charge Point Protocol (OCPP). This removes the disconnect between CRA compliance work and operational reality.
Work in the Open Charge Alliance (notably the Cyber Security Task Group), CyberStand.eu’s CRA alignment efforts, and the newly NLnet NGI Zero Commons–funded EVQI project is already pushing concrete interfaces in this direction: Device-model variables for CRA readiness, structured vulnerability and lifecycle metadata, cross-vendor health monitoring, and standardized audit-trail exports suitable for CRA Article 10-15 reporting.
This session outlines how CRA obligations can be realized in a heterogeneous, multi-vendor charging ecosystem with an emphasis on operators managing 50000+ of devices. It shows which processes must be automated, which artefacts need to be transported over OCPP, and how deep protocol-level integration enables consistent, scalable CRA compliance across an extremely diverse EV-charging landscape.
Erlang/OTP is an open source programming language designed for the development of concurrent and distributed systems. Created 40 years ago and open sourced in 1998, Erlang is used by Ericsson, Cisco, WhatsApp, Discord, and Klarna for mission critical applications as well as loved by a broad community of open source developers. With the advent of the Cyber Resilience Act (CRA), the Erlang/OTP team, jointly with the Erlang Ecosystem Foundation (EEF), began to prepare the project to meet CRA requirements. In this presentation, Kiko will describe and dive into the various supply chain best practices implemented by the Erlang/OTP project: the creation of Source Software Bill-of-Materials (Source SBOMs), automated vulnerability scanning of dependencies using OSV, creation of OpenVEX statements, vulnerability handling in collaboration with the EEF as CNA, and contributions to towards other open source projects [[1],[2],[3]] to improve the security posture of the ecosystem. Moreover, Kiko will provide an insight into the lessons learned from implementing these measures in an open source project.
Embedded products are at the core of the Cyber Resilience Act, yet they face unique compliance challenges. Hardware vendors ship heavily patched BSPs, software modules often diverge from upstream, and reliable identification of modified components is still far from solved. For teams building products on top of these layers, translating CRA requirements into daily engineering practice is not straightforward.
This talk provides a practical overview of where CRA compliance currently stands for embedded devices, using Yocto Project–based workflows as a representative example. We will explore what is already achievable today with existing tooling (SBOM generation, vulnerability scanning, provenance capture), and highlight the gaps that still require industry-wide definitions - from consistent software identification to handling vendor modifications and long-tail dependencies.
Participants will gain a grounded, realistic understanding of how CRA obligations map to actual embedded development, what can be implemented now, and where the ecosystem still needs collective work to reach a "working" state.
The Cyber Resilience Act (CRA) is reshaping expectations around open source software, introducing new requirements for security, traceability, and documentation. While maintainers are responsible for technical compliance, community managers play a critical but often overlooked role in helping projects adapt. This session is designed for community managers, project maintainers, stewards, and open source contributors interested in practical CRA readiness. The focus is on practical enablement by Community Managers, exploring how they can support compliance without assuming legal liability.
We’ll show how Community Managers can: - Communicate CRA-relevant processes to contributors, downstream adopters, and vendors - Structure documentation, governance pages, and onboarding materials for clarity and discoverability - Protect newcomers from unnecessary compliance burden, keeping contribution welcoming and accessible - Support maintainers, triaging non-technical questions, coordinating workflows, and preventing burnout Facilitate cross-project collaboration, shared tooling, and evidence collection practices - Manage vulnerability communication to maintain trust and transparency
The objective is for attendees to leave with practical strategies, templates, and examples that make CRA compliance manageable while keeping open source communities healthy and contributor-friendly. This session is ideal for community managers, project stewards, maintainers, and anyone interested in the human side of CRA readiness in FOSS projects. Attendees will leave with key takeaways: - Understand CRA’s indirect impact on community management and a checklist of how tos - Learn concrete ways to keep projects welcoming despite increased compliance expectations - Explore templates and workflow ideas that reduce friction for contributors and maintainers alike - See examples of cross-project coordination and documentation practices that support CRA readiness
This session emphasizes practical, community-driven solutions focusing on doing and not debating legal strategy making CRA compliance achievable and sustainable for FOSS communities.
This panel brings together experts to discuss the practical realities of implementing the CRA steward role, as defined by the regulation, and how organisations are approaching its execution. Panelists will explore how the concept of CRA stewards is being interpreted, what responsibilities are emerging in practice, and the challenges organisations face in preparing for this new function. They will also highlight which elements remain unclear, what support or guidance is still needed, and how future work at the level of EC and broader ecosystem can help refine and operationalise the steward role effectively. The panel aims to offer concrete insights for organisations navigating this evolving responsibility.
Security teams are currently drowning in vulnerability data, but the Vulnerability Exploitability eXchange (VEX) offers a solution by providing machine-readable clarity on which exploits actually matter. This technology is rapidly evolving from a "nice-to-have" efficiency tool into a critical compliance enabler for the EU Cyber Resilience Act (CRA), which mandates effective vulnerability handling for the European market.
In this session, Georg and Rao present the findings from the VEX Industry Collaboration Working Group, a group of industry leaders driving the development and application of VEX. The group identified a set of challenges and gaps hampering adoption, ranging from the different evolving technical directions in VEX formats to practical barriers such as discovery and distribution of VEX documents, immature tooling, and education. Rao and Georg will outline a shared path forward, advocating for the creation of a common distribution system, development of necessary tooling, and establishing a forum for collaboration between industry partners and open source projects to drive adoption and education.
The Cyber Resilience Act (CRA) requires a risk-based approach when developing and supporting products, even those that are only software. The most important part of this is the cybersecurity risk assessment. This document is the main thing that decides which essential cybersecurity requirements you must follow for your product and which ones you don't need to implement. If you don't have this cybersecurity risk assessment, your product will be seen as not compliant in the EU market, no matter how good it is overall. You are in charge of creating this risk assessment.
In this session, we will learn the steps of this formal and documented process to set up a compliant and reliable way to manage cybersecurity risks for your products with digital elements.
We will draw inspiration from standard industry practices for information security risk management and the recently released EN 40000-1-2 draft from the European Committee for Electrotechnical Standardization.
We will start by defining the product's context and defining risk acceptance criteria. Then, we will move to the risk assessment itself. This involves finding and documenting the product's assets and objectives, identifying threats, estimating how big the risks are, and then evaluating the risks to process them further.
To close the risk management loop, we will discuss how to treat risks, how we need to communicate risks to our users and how to monitor and review those identified risks.
The implementation of the EU Cyber Resilience Act is currently shaped by two flawed assumptions: that most open source projects have a steward, and that stewards are synonymous with foundations. Data from the JavaScript and Rust ecosystems shows the opposite—hundreds of thousands of widely used packages exist outside any stewardship structure, while foundations oversee only a tiny fraction. The CRA anticipated this reality and introduced a separate mechanism to help manufacturers meet due-diligence requirements: a security attestation program intended to function as an open-source analogue to CE marking. Done well, attestations can dramatically simplify compliance while improving security and sustainability across the ecosystem.
Current proposals, however, lean toward lightweight models that offer limited value to manufacturers and little support for the maintainers who produce the software those manufacturers rely on. This talk proposes a more effective middle path: an attestation approach that leverages maintainer expertise, delivers clear and actionable assurances to manufacturers, and creates sustainable revenue channels for projects.
Using the OpenJS Foundation’s Ecosystem Sustainability Program (ESP) as a concrete example, we will illustrate how project-approved commercial support, revenue sharing, and clear integration points can produce benefits for both manufacturers and maintainers. ESP demonstrates how a structured program can help fund essential security and maintenance work without requiring projects to become foundation-stewarded. By connecting these lessons to the CRA’s attestation framework, the session outlines what a truly useful attestation system could deliver: practical compliance for manufacturers, meaningful support for maintainers, and a healthier, more resilient open source ecosystem.
Everyone's building CRA compliance tooling: SBOM generators, vulnerability scanners, security scorecards, automated due diligence checks. But, CRA readiness isn't just about tooling. It's about ensuring the data feeding those tools is actually accurate and trusted. The project activity, package metadata, licensing information, and vulnerability data these tools depend on is systematically unreliable, and we need to fix it at the source.
This talk demonstrates why data accuracy is the blocking issue for practical CRA readiness. We'll show real-world examples from major package ecosystems: Python packages with wrong license declarations, Java JARs with embedded vulnerable dependencies that scanners miss, Rust crates with incomplete origin metadata. When demonstrating due diligence or attempting automated vulnerability reporting, the underlying data failures make compliance impossible, no matter how good your tools are.
The good news is that this is solvable, and the FOSS community is already working on it!
We'll present concrete approaches being deployed across ecosystems: systematic metadata curation projects that scan and fix package data at scale, validation tooling that catches errors before publication, and community infrastructure that makes accurate software metadata freely available. You'll see how projects like Maven Heaven, T-Rust, and Nixpkgs Clarity are cleaning up metadata for the most popular packages, releasing curated data under open licenses, and providing author-facing tools to prevent bad data from entering registries. And we'll discuss how reliable project health data provides critical insights for proactive CRA due diligence and risk management.
This session gives you practical next steps: how to audit data quality in your dependencies, contribute to metadata curation efforts, integrate validation into your publishing workflow, and leverage community-curated data for more reliable compliance automation.
For FOSS maintainers, many of whom contribute voluntarily and without formal organizational backing, the CRA raises urgent questions: What exactly changes for my project? What responsibilities - if any - apply to me? And how can I prepare without being overwhelmed? This panel puts FOSS maintainers at the center of the conversation. Joined by industry practitioners for complementary perspectives, maintainers will discuss what the CRA means for day-to-day project work, long-term sustainability, and collaborative development practices. Key topics include: Which CRA obligations might touch volunteer-driven FOSS projects - and which clearly do not What are those tools you use right now or plan using to get closer to the CRA readiness and what you’re missing How maintainers can proactively position their projects without needing formal compliance How industry stakeholders can step up to support the FOSS components they rely on Practical guidance on documentation, secure development practices, and project governance How the CRA could catalyze a healthier relationship between FOSS communities and commercial users