The EU Cyber Resilience Act (CRA) marks a significant shift in how cybersecurity responsibilities are defined for digital products — including software built on open source. While the regulation explicitly protects non-commercial open source development, it also introduces new obligations for organizations that commercialize, distribute, or embed open source software into products placed on the EU market.

This talk explores the implications of CRA for open source communities, maintainers, and organizations using Open Source in their products.