https://ec.europa.eu/eusurvey/runner/CRA-Attestation-Survey-2026-FOSDEM
Welcome to the Attestation Survey on the Cyber Resilience Act (CRA) Thank you for participating in this survey. Your input is vital to understanding the impact and necessary preparation for the Cyber Resilience Act (CRA) within the open source ecosystem. The CRA establishes cybersecurity requirements for products with digital elements throughout their lifecycle. Depending on your role, the Act places specific responsibilities upon you: Manufacturers: You will be required to comply with cybersecurity regulations covering all components of the PwDE you place on the market, this includes all Free and Open Source Software (FOSS) components, as well as all 2nd and 3rd party components integrated into your product. Open Source Software Stewards: The CRA defines responsibilities for entities that maintain FOSS with commercial intent, affecting how security vulnerabilities are managed and communicated across the supply chain. About the Data and Time The data collected through this survey will support the work developed in the CRA Attestations project. This Project's purpose is to explore the topic of, and eventually publish guidance regarding, voluntary security attestations for open source projects per Article 25 of the Cyber Resilience Act. These attestations can help support the maintenance and security of open source projects in exchange for lowering the compliance burdens of manufacturers which use those projects in commercial products on the European market. We estimate this survey will take you 10 minutes to complete. Your thoughtful and accurate responses are greatly appreciated. The survey does not require any personal or confidential information to be provided, all the data collected in the survey will be accessible through an open source licence approved by OSI. If you are interested in knowing more about the project and related Open Regulatory Compliance where open source and the CRA is discussed, please join our community through the mailing list and our GitHub. Take a look at the FAQ from the European Commission for further clarification. (..) -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
