As the EU Cyber Resilience Act (CRA) moves closer to the implementation deadline, software manufacturers across multiple verticals are beginning to understand its extensive implications for software security and compliance, which are now inseparable from innovation.At Red Hat, we sit at a unique intersection. We are a manufacturer delivering enterprise open source solutions, but we are also a potential open source software steward. This dual role means that we fully support regulation that helps to strengthen organizational cybersecurity postures up and downstream. At the same time, we also want to drive international alignment on standards and regulations that further support, rather than stifle, the global open source ecosystems that modern IT depends on.Making the CRA ActionableRed Hat began preparing for the CRA before its inception due to on-the-ground policy engagement and collaboration with the European Commission. We recognised that compliance would not be achieved through a single checklist, but through a culture of secure development practices embedded in everything we do.To that end, we established a comprehensive internal CRA program spanning eight workstreams covering awareness and internal/external communication to vulnerability management, incident response, conformity assessment and legal review. This structure reflects our long-standing commitment to building software with enhanced security footprints by default. While Red Hat already follows secure-by-design principles, the CRA prompted a thorough review of existing processes to confirm full alignment. The CRA now gives us an opportunity to formalize and extend those efforts across our entire product life cycle.We’re confident that this approach not only positions Red Hat for compliance with the CRA but also helps the broader open source ecosystem adapt to the Act’s requirements. After all, the health of that ecosystem directly affects the success of every software manufacturer, including us.Raising the Bar For Open SourceThe CRA will inevitably raise expectations for security design and transparency across the software industry. Given the legal requirement to conduct due diligence on open source components they wish to integrate, manufacturers will need to be more selective about the open source components they use, incentivizing prioritization of projects that demonstrate strong security practices, provide clear documentation and publish essential security metadata such as software bills of materials (SBOMs).This is a positive step, but it also introduces challenges. The risk is that smaller, less-resourced projects may be overlooked, creating an uneven playing field. To prevent sacrificing innovation for compliance, manufacturers, foundations and contributors must work together to share best practices and provide the resources projects need to meet these new standards.Dispelling MisconceptionsIn conversations across the global open source community, we’ve heard several recurring misconceptions about the CRA. The first is that it applies only to hardware or physical devices. In reality, software itself can be considered a “product with digital elements,” meaning that, for example, operating systems, browsers and password managers are all within scope, along with other verticals.Another misconception is that the CRA is a problem for 2027. While the regulation’s full application deadline is Dec. 11, 2027, some deadlines come into effect in 2026. Manufacturers must act now to align their processes, assess risks and prepare for conformity assessments and European conformity marking requirements. Waiting until 2027 and for all implementing standards to be ready simply isn’t an option.Finally, many maintainers and developers assume their questions are too specific or too small to matter. The truth is, they’re not alone. Everyone is navigating the same uncertainties. The key is to collaborate, ask questions and learn together.Collaboration as ComplianceThat belief in collective effort is why Red Hat joined the Open Regulatory Compliance (ORC) working group. ORC brings together manufacturers, open source stewards and policymakers to help translate the CRA into practical, actionable guidance.We’re proud to contribute to efforts such as the EU Commission draft CRA guidance on open source as well as the CRA FAQ, a comprehensive public resource on how the regulation affects open source, and a series of white papers that explore issues like software manufacturer responsibilities and the relationship between open source projects and regulatory requirements. These deliverables help make compliance more accessible and achievable for everyone across the broader open source community, from larger enterprises to smaller projects.Through ORC, we are preparing for our own CRA compliance and helping shape the ecosystem’s path toward CRA readiness.A New Era Of StewardshipPerhaps the most transformative aspect of the CRA is its recognition of the role of open source software stewards. For the first time, the concept of stewardship has been formally acknowledged in law.This recognition is critical. It affirms that foundations, organizations, and companies like Red Hat play a vital role in bridging the gap between individual projects and the regulatory obligations placed on manufacturers. It also reinforces the idea that compliance is not a burden, but an opportunity to strengthen trust, accountability and long-term sustainability across the entire software supply chain.The CRA is a catalyst — a signal for manufacturers, stewards and maintainers to come together to strengthen the security posture of open source. But it also invites us to collaborate in new ways — to align our practices, share our knowledge and build a more resilient digital future. For Red Hat, that is not just a compliance goal. It’s part of our mission of being the catalyst in communities of customers, contributors and partners, creating better technology the open source way.The post Making the Cyber Resilience Act Work for Open Source appeared first on The New Stack.