Under the Cyber Resilience Act (CRA), structured open source management is mandatory

Modern products consist to a significant extent of Open Source Software (OSS). While this promotes development speed and innovation, it also creates complex dependencies: a single vulnerability in an Open Source library can jeopardise entire product portfolios – but many manufacturers lack the transparency to determine whether they are affected. Without clear structures and defined processes, a technical vulnerability can quickly turn into an uncontrollable business risk.

This is where the Cyber Resilience Act (CRA) addresses precisely this issue. From 2026/2027, structured security processes and professional OSS management will be a prerequisite for market access in the EU. Open Source remains a central element of modern technologies – but at the same time it is becoming an essential compliance factor. Companies need clear guidelines, roles, supply chain transparency, and a Software Bill of Materials (SBOM) to reliably meet the requirements. Those who do not act now are jeopardising their market access in the EU.

CRA requirements and the role of Open Source software management

For the first time, the CRA establishes uniform, mandatory security requirements for products with digital elements – including the Open Source components used. Companies must ensure that products are placed on the market without known, exploitable vulnerabilities. Cybersecurity is thus becoming a mandatory task for companies. This requires continuous vulnerability assessments, timely remediation, and where applicable, contributing security fixes back to the community. In addition, the CRA requires defined support periods and clear reporting obligations for serious security incidents.

This results in concrete changes for companies:

• Product owners need transparency regarding the Open Source Software components used and their risk impact.
• Development and operations must establish processes for regular vulnerability scans, patch management, and secure upstream interaction.
• Governance and procurement need clear, CRA-compliant compliance guidelines for OSS use, approval processes, and supplier requirements.

The Software Bill of Materials (SBOM) as a necessary transparency tool

The Software Bill of Materials is a core element of the CRA. It documents all software components and dependencies in a standardised format such as SPDX or CycloneDX. Beyond its regulatory obligation, it offers practical added value: SBOMs enable a rapid assessment of whether new vulnerabilities affect a product, facilitate audits, and create a common information base for customers and authorities. In practice, the fully tool-based generation of SBOMs has established itself as an efficient approach.

Open Source Software stewards hold a special position

This includes, for example, foundations such as the Eclipse Foundation or the Apache Software Foundation, which coordinate large OSS projects. They do not apply CE markings themselves, but must maintain a cybersecurity strategy, provide relevant documentation, and cooperate with authorities. This strengthens the security of central OSS ecosystems while preserving the community's ability to innovate.

PwC supports companies in building CRA readiness and embedding OSS management practices in an efficient and effective way.