CRA Article 25 — Attestation for Open-Source Software

This survey gathers input on how voluntary security attestation programmes for open-source software could work under Article 25 of the Cyber Resilience Act.

CRA Article 25 - Security attestation of free and open-source software:

"In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential
cybersecurity requirements or other obligations laid down in this Regulation."

This survey is open for responses until February 28.