Beyond the Download Button: Managing Open Source Risk Under CRA (N22a)
The Cyber Resilience Act introduces continuous maintenance requirements throughout a product’s lifecycle, fundamentally shifting open source responsibility. The CRA transposes security burden from upstream maintainers to downstream manufacturers, who must now monitor, assess, and remediate vulnerabilities in every open source dependency-even without control over original projects. This talk explores critical challenges: establishing vulnerability monitoring for hundreds of components, balancing 24-hour critical response requirements against testing realities, and managing abandoned upstream projects. the speakers examine practical approaches including SBOM management, automated scanning, and patch prioritization strategies. Attendees gain actionable insights for building sustainable maintenance programs that satisfy CRA requirements while leveraging open source components in Europe’s most significant product security regulation.
