{"id":31004,"date":"2025-09-09T11:30:58","date_gmt":"2025-09-09T15:30:58","guid":{"rendered":"https:\/\/www.lpi.org\/articles\/\/"},"modified":"2025-09-09T11:32:37","modified_gmt":"2025-09-09T15:32:37","slug":"the-cyber-resilience-act-and-open-source","status":"publish","type":"post","link":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/","title":{"rendered":"The Cyber Resilience Act and Open Source"},"content":{"rendered":"<p><em>Linux Professional Institute (LPI) closely follows the evolving landscape of software regulations and their impact on the open source community. The Cyber Resilience Act (CRA) is one such regulation sparking global debate\u2014not only for European developers but also for those maintaining or contributing to open source projects outside the European Union (EU).<\/em><\/p>\n<p><em>If a project has users in the EU, or if it\u2019s hosted on platforms accessible from the EU, the CRA may still apply. This raises urgent questions about liability, compliance, and sustainability for developers worldwide.<\/em><\/p>\n<p><em><strong>In this discussion<\/strong>, Moreno Razzoli (AKA Morrolinux: Linux and FOSS Evangelist, LPI Partner and Member), and Andrea Palumbo (an Italian lawyer specialising in technology, LPI\u2019s Solution Provider Partner), sat down with <a href=\"https:\/\/www.linkedin.com\/in\/tommasobonvicini\/\">Tommaso Bonvicini<\/a>, a freelance software developer passionate about C++, open source, and everything that can be tinkered with, to unpack what the CRA could mean for open source projects. This article summarizes their key insights. Buckle up: it\u2019s going to be a ride.<\/em><\/p>\n<h2>The Cyber Resilience Act: What\u2019s Happening?<\/h2>\n<p>The Cyber Resilience Act (CRA), a European regulation aimed at enhancing cybersecurity standards for software and hardware, officially came into force on December 11, 2024. Within three years, compliance will be mandatory, meaning that companies, developers, and open source projects will need to adapt.<\/p>\n<p>The act introduces new security obligations for software and connected devices, aiming to reduce vulnerabilities and improve response times to security threats. But as <a href=\"https:\/\/www.lpi.org\/blog\/2024\/02\/06\/lpis-cra-webinar-11-how-it-went\/\">LPI highlighted more than a year ago<\/a>, not everything about the CRA is smooth sailing, especially when it comes to free and open source software commercial dissemination.<\/p>\n<h2>The Good, the Bad, and the Bureaucratic<\/h2>\n<p>At first glance, the <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cyber-resilience-act\">CRA sounds great<\/a>\u2014who wouldn\u2019t want <a href=\"https:\/\/www.lpi.org\/our-certifications\/security-essentials-overview\/\">better security<\/a>? The regulation mandates:<\/p>\n<ul>\n<li>Minimum security standards for software and hardware.<\/li>\n<li>Lifecycle management requirements, ensuring ongoing security updates.<\/li>\n<li>Mandatory reporting of known vulnerabilities within 24 hours.<\/li>\n<\/ul>\n<p>On paper, these seem like solid cybersecurity measures. However, when one looks at the real-world impact, things get messy.<\/p>\n<p>One of the biggest concerns is who bears the responsibility for compliance. Open-source projects, which rely on volunteers and community contributions, might find these obligations overwhelming. If a solo developer writes a patch that introduces a bug, who is held accountable\u2014the contributor, the maintainer, or the entire project?<\/p>\n<h2>Open Source: Caught in the Crossfire?<\/h2>\n<p>Initially, the CRA didn\u2019t exempt open-source projects, meaning that even non-commercial software could have been subject to the same rigorous standards as enterprise solutions. Thanks to significant lobbying from the open-source community, the final version now includes exemptions such as the following:<\/p>\n<ul>\n<li>Non-commercial free and open-source software (FOSS) is exempt from CRA requirements.<\/li>\n<li>Projects that recover costs or reinvest profits into non-commercial activities remain exempt.<\/li>\n<li>Donations to open-source projects do not trigger CRA compliance.<\/li>\n<\/ul>\n<p>That\u2019s good news for community-driven projects, but there\u2019s a catch\u2014what happens when an open-source tool is used in a commercial product? If a company integrates open-source components into its proprietary software, the burden of compliance shifts to that company. This means large companies may need to acknowledge open source dependencies, which could lead to trickle-down effects on contributors.<\/p>\n<h2>The Privacy and Security Dilemma<\/h2>\n<p>One of the most controversial aspects of the CRA is its requirement to report security vulnerabilities within 24 hours of their discovery to the following entities:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.enisa.europa.eu\/\">ENISA<\/a> (European Union Agency for Cybersecurity)<\/li>\n<li>National cybersecurity response teams (CSIRTs) in each EU member state<\/li>\n<\/ul>\n<p>This creates two major risks, not limited to open source software:<\/p>\n<ul>\n<li>Potential misuse by government agencies: As <a href=\"https:\/\/www.southwales.ac.uk\/news\/2024\/september\/five-notorious-cyberattacks-that-targeted-governments\/\">seen in the past<\/a> (think NSA exploits), centralizing security vulnerabilities can lead to mass surveillance or malicious cyber operations.<\/li>\n<li>A massive hacking target: With multiple entities storing security flaws, attackers could breach these databases and weaponize zero-day vulnerabilities.<\/li>\n<\/ul>\n<p>As Andrea put it, &#8222;We\u2019re creating a list of the most dangerous security holes in Europe and handing it out like a party invite.&#8220;<\/p>\n<h2>What About Unfinished Software?<\/h2>\n<p>Another murky area is the regulation\u2019s definition of \u201cunfinished software\u201d\u2014a term that includes alpha, beta, and testing versions. While software in these stages is allowed on the market, developers must still assess risks and apply security measures before public releases.<\/p>\n<p>Here\u2019s where it gets weird:<\/p>\n<ul>\n<li>The CRA states that unfinished software must be available for a \u201climited time\u201d\u2014but doesn\u2019t define what \u201climited\u201d means. A year? A decade?<\/li>\n<li>Software must explicitly state that it\u2019s unfinished\u2014but where? A disclaimer in the settings? A pop-up at launch?<\/li>\n<\/ul>\n<p>For developers who use rolling releases or continuously update their software (think nightly builds), this requirement is a nightmare. Once again, the problem goes beyond open source.<\/p>\n<h2>How Do These Issues Affect Open-Source Contributions?<\/h2>\n<p>If you contribute to open-source projects, should you be worried? The answer is unclear.<\/p>\n<ul>\n<li>Minor contributions are probably safe.<\/li>\n<li>Major changes\u2014especially forks or substantial modifications\u2014could make you legally responsible for complying with at least some parts of the CRA.<\/li>\n<li>If you maintain a fork that diverges significantly, you might be considered the \u201cofficial producer\u201d under CRA rules.<\/li>\n<\/ul>\n<p>The bottom line: If you\u2019re just submitting small patches, you\u2019re likely fine. But if you create a project from the ground up, or take an existing project and develop it into something new, be prepared for extra scrutiny.<\/p>\n<h2>What\u2019s Next?<\/h2>\n<p>The CRA isn\u2019t all bad\u2014it sets baseline security expectations and clarifies accountability where none existed before, or where it was too weak to be effective. But its broad and vague definitions, especially regarding free and open-source software, could create more confusion than clarity.<\/p>\n<p>For now, major takeaways include:<\/p>\n<ul>\n<li>Open-source software is mostly exempt, unless used commercially.<\/li>\n<li>Companies integrating FOSS into products must ensure compliance.<\/li>\n<li>Privacy concerns around vulnerability reporting remain unsolved.<\/li>\n<li>Smaller developers might struggle with bureaucracy.<\/li>\n<\/ul>\n<p>The good news? There\u2019s still time to make improvements\u2014the CRA won\u2019t be enforced until December 2027, giving developers, companies, and communities three years to adapt.<\/p>\n<h2>Final Thoughts<\/h2>\n<p>As Moreno, Andrea, and Tommaso wrapped up their discussion, the consensus was clear: the CRA isn\u2019t a disaster, but it\u2019s far from perfect.<\/p>\n<p>While it advocates for stronger security, it creates hurdles for small developers and raises concerns about centralized vulnerability reporting. The open-source community successfully lobbied for important exemptions, but questions remain about how enforcement will play out.<\/p>\n<p><em>Want to dive deeper? Watch the <a href=\"https:\/\/www.youtube.com\/watch?v=jqG0dFFs15A&amp;t=5s\">full discussion<\/a> on Morrolinux\u2019s channel: (in Italian: \u201cCyber Resilience Act APPROVATO. Cosa cambia per l&#8217;Open Source\u201d).<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Linux Professional Institute (LPI) closely follows the evolving landscape of software regulations and their impact on the open source community. The Cyber Resilience Act (CRA) is one such regulation sparking global debate\u2014not only for European developers but also for those &#8230; <a href=\"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/\" class=\"button-link\">Weiterlesen<\/a><\/p>\n","protected":false},"author":25,"featured_media":31005,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[50],"country":[],"language":[304],"ppma_author":[494],"class_list":["post-31004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-europe","language-english"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>The Cyber Resilience Act and Open Source - Linux Professional Institute (LPI)<\/title>\n<meta name=\"description\" content=\"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Cyber Resilience Act and Open Source\" \/>\n<meta property=\"og:description\" content=\"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/\" \/>\n<meta property=\"og:site_name\" content=\"Linux Professional Institute (LPI)\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/LPIConnect\" \/>\n<meta property=\"article:published_time\" content=\"2025-09-09T15:30:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-09T15:32:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1440\" \/>\n\t<meta property=\"og:image:height\" content=\"994\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Max Roveri\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@lpiconnect\" \/>\n<meta name=\"twitter:site\" content=\"@lpiconnect\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Max Roveri\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/\"},\"author\":{\"name\":\"Max Roveri\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#\\\/schema\\\/person\\\/02b9466c140fbc531c580a831d1a2bd9\"},\"headline\":\"The Cyber Resilience Act and Open Source\",\"datePublished\":\"2025-09-09T15:30:58+00:00\",\"dateModified\":\"2025-09-09T15:32:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/\"},\"wordCount\":1076,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/article-CRA-Morro-Palumbo-Bonvicini.jpg\",\"articleSection\":[\"Europe\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/\",\"name\":\"The Cyber Resilience Act and Open Source - Linux Professional Institute (LPI)\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/article-CRA-Morro-Palumbo-Bonvicini.jpg\",\"datePublished\":\"2025-09-09T15:30:58+00:00\",\"dateModified\":\"2025-09-09T15:32:37+00:00\",\"description\":\"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/article-CRA-Morro-Palumbo-Bonvicini.jpg\",\"contentUrl\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/article-CRA-Morro-Palumbo-Bonvicini.jpg\",\"width\":1440,\"height\":994,\"caption\":\"The Cyber Resilience Act and Open Source\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/blog\\\/2025\\\/09\\\/09\\\/the-cyber-resilience-act-and-open-source\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Cyber Resilience Act and Open Source\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/\",\"name\":\"Linux Professional Institute (LPI)\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#organization\",\"name\":\"Linux Professional Institute (LPI)\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/logo.png\",\"contentUrl\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2023\\\/04\\\/logo.png\",\"width\":496,\"height\":175,\"caption\":\"Linux Professional Institute (LPI)\"},\"image\":{\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/LPIConnect\",\"https:\\\/\\\/x.com\\\/lpiconnect\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/35136\",\"https:\\\/\\\/www.instagram.com\\\/lpi_org\\\/\",\"https:\\\/\\\/fosstodon.org\\\/@LPI\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/de\\\/#\\\/schema\\\/person\\\/02b9466c140fbc531c580a831d1a2bd9\",\"name\":\"Max Roveri\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/cropped-picture-1108-1599751879-96x96.png1c34482c35f58174a9b9d0a3cb19161e\",\"url\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/cropped-picture-1108-1599751879-96x96.png\",\"contentUrl\":\"https:\\\/\\\/www.lpi.org\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/cropped-picture-1108-1599751879-96x96.png\",\"caption\":\"Max Roveri\"},\"description\":\"Massimiliano \\\"Max\\\" Roveri is a writer, blogger, editor and social media manager. He started writing on the internet in the late '90s and he went back to the digital media in 2009. Since 2014 he lives in Ireland and, since 2015, he has been part of the LPI Italy team. He is professionally involved in cultural mediation projects, with an event management side, and in education projects as a professional and as a volunteer as well.\u00a0 With a background\u00a0in humanities and philosophy, he loves to address the ethical and social aspects of Open Source, with an approach that nods to Gregory Bateson and Robert M. Pirsig. Photo: uphostudio\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"The Cyber Resilience Act and Open Source - Linux Professional Institute (LPI)","description":"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/","og_locale":"de_DE","og_type":"article","og_title":"The Cyber Resilience Act and Open Source","og_description":"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.","og_url":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/","og_site_name":"Linux Professional Institute (LPI)","article_publisher":"https:\/\/www.facebook.com\/LPIConnect","article_published_time":"2025-09-09T15:30:58+00:00","article_modified_time":"2025-09-09T15:32:37+00:00","og_image":[{"width":1440,"height":994,"url":"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg","type":"image\/jpeg"}],"author":"Max Roveri","twitter_card":"summary_large_image","twitter_creator":"@lpiconnect","twitter_site":"@lpiconnect","twitter_misc":{"Verfasst von":"Max Roveri","Gesch\u00e4tzte Lesezeit":"5\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#article","isPartOf":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/"},"author":{"name":"Max Roveri","@id":"https:\/\/www.lpi.org\/de\/#\/schema\/person\/02b9466c140fbc531c580a831d1a2bd9"},"headline":"The Cyber Resilience Act and Open Source","datePublished":"2025-09-09T15:30:58+00:00","dateModified":"2025-09-09T15:32:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/"},"wordCount":1076,"commentCount":0,"publisher":{"@id":"https:\/\/www.lpi.org\/de\/#organization"},"image":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#primaryimage"},"thumbnailUrl":"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg","articleSection":["Europe"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/","url":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/","name":"The Cyber Resilience Act and Open Source - Linux Professional Institute (LPI)","isPartOf":{"@id":"https:\/\/www.lpi.org\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#primaryimage"},"image":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#primaryimage"},"thumbnailUrl":"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg","datePublished":"2025-09-09T15:30:58+00:00","dateModified":"2025-09-09T15:32:37+00:00","description":"Understand the Cyber Resilience Act\u2019s effects on open source: liability, exemptions, mandatory reporting, and transition timeline.","breadcrumb":{"@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#primaryimage","url":"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg","contentUrl":"https:\/\/www.lpi.org\/wp-content\/uploads\/2025\/09\/article-CRA-Morro-Palumbo-Bonvicini.jpg","width":1440,"height":994,"caption":"The Cyber Resilience Act and Open Source"},{"@type":"BreadcrumbList","@id":"https:\/\/www.lpi.org\/de\/blog\/2025\/09\/09\/the-cyber-resilience-act-and-open-source\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.lpi.org\/de\/"},{"@type":"ListItem","position":2,"name":"The Cyber Resilience Act and Open Source"}]},{"@type":"WebSite","@id":"https:\/\/www.lpi.org\/de\/#website","url":"https:\/\/www.lpi.org\/de\/","name":"Linux Professional Institute (LPI)","description":"","publisher":{"@id":"https:\/\/www.lpi.org\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.lpi.org\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.lpi.org\/de\/#organization","name":"Linux Professional Institute (LPI)","url":"https:\/\/www.lpi.org\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.lpi.org\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/04\/logo.png","contentUrl":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/04\/logo.png","width":496,"height":175,"caption":"Linux Professional Institute (LPI)"},"image":{"@id":"https:\/\/www.lpi.org\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/LPIConnect","https:\/\/x.com\/lpiconnect","https:\/\/www.linkedin.com\/company\/35136","https:\/\/www.instagram.com\/lpi_org\/","https:\/\/fosstodon.org\/@LPI"]},{"@type":"Person","@id":"https:\/\/www.lpi.org\/de\/#\/schema\/person\/02b9466c140fbc531c580a831d1a2bd9","name":"Max Roveri","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/05\/cropped-picture-1108-1599751879-96x96.png1c34482c35f58174a9b9d0a3cb19161e","url":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/05\/cropped-picture-1108-1599751879-96x96.png","contentUrl":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/05\/cropped-picture-1108-1599751879-96x96.png","caption":"Max Roveri"},"description":"Massimiliano \"Max\" Roveri is a writer, blogger, editor and social media manager. He started writing on the internet in the late '90s and he went back to the digital media in 2009. Since 2014 he lives in Ireland and, since 2015, he has been part of the LPI Italy team. He is professionally involved in cultural mediation projects, with an event management side, and in education projects as a professional and as a volunteer as well.\u00a0 With a background\u00a0in humanities and philosophy, he loves to address the ethical and social aspects of Open Source, with an approach that nods to Gregory Bateson and Robert M. Pirsig. Photo: uphostudio"}]}},"views":1288,"authors":[{"term_id":494,"user_id":25,"is_guest":0,"slug":"mroverilpi-org","display_name":"Max Roveri","avatar_url":"https:\/\/www.lpi.org\/wp-content\/uploads\/2023\/05\/cropped-picture-1108-1599751879-96x96.png","0":null,"1":"","2":"","3":"","4":"","5":"","6":"","7":"","8":""}],"_links":{"self":[{"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/posts\/31004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/comments?post=31004"}],"version-history":[{"count":2,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/posts\/31004\/revisions"}],"predecessor-version":[{"id":31016,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/posts\/31004\/revisions\/31016"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/media\/31005"}],"wp:attachment":[{"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/media?parent=31004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/categories?post=31004"},{"taxonomy":"country","embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/country?post=31004"},{"taxonomy":"language","embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/language?post=31004"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.lpi.org\/de\/wp-json\/wp\/v2\/ppma_author?post=31004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}