The EU Cyber Resilience Act (CRA), with most obligations kicking in around 2027, is creating an unexpected incentive for companies to donate internal tools to open source foundations like the Linux Foundation, CNCF, or Apache. By transferring ownership to a foundation, companies shift from owning a 'commercial product with digital elements' to using an external dependency, changing their compliance liability profile. Beyond the legal maneuvering, the CRA may force companies to genuinely reckon with their open source dependencies — tracking SBOMs, responding to vulnerabilities, and recognizing that running open source commercially has real costs that were previously hidden or externalized. This could accelerate funding and contributions to open source foundations, potentially improving ecosystem sustainability even if it doesn't fully solve it.
Table of contents
What the CRA actually doesThe foundation strategyCould this actually be good for open source?What the CRA might actually changeSort: