Giant Swarm breaks down how EU Cyber Resilience Act compliance is pushing more companies to contribute to open source — and why it matters.

Giant Swarm is a leading provider of managed Kubernetes services, empowering organizations to build, deploy, and operate cloud-native applications with confidence. Through  guides, best practices, and real-world use cases, readers gain  insights into Kubernetes adoption, cluster management, and application lifecycle management. With Giant Swarm as their  partner, organizations unlock the full potential of Kubernetes for driving digital innovation and accelerating time-to-market.

Giant Swarm

The EU Cyber Resilience Act (CRA), with most obligations kicking in around 2027, is creating an unexpected incentive for companies to donate internal tools to open source foundations like the Linux Foundation, CNCF, or Apache. By transferring ownership to a foundation, companies shift from owning a 'commercial product with digital elements' to using an external dependency, changing their compliance liability profile. Beyond the legal maneuvering, the CRA may force companies to genuinely reckon with their open source dependencies — tracking SBOMs, responding to vulnerabilities, and recognizing that running open source commercially has real costs that were previously hidden or externalized. This could accelerate funding and contributions to open source foundations, potentially improving ecosystem sustainability even if it doesn't fully solve it.

The CRA's unexpected effect on open source

Could this actually be good for open source?