There's a conversation happening quietly in legal and engineering teams across Europe right now. It's not about whether to comply with the EU Cyber Resilience Act — at this point, for most companies selling software into the EU market, that's not really a choice. It's more like: how do we structure this so it's actually manageable? And one of the answers coming up more and more is: donate it to a foundation. That's worth paying attention to.
The CRA, for those who haven't had to think about it yet, is the EU's attempt to bring meaningful cybersecurity requirements to products with digital elements — hardware, software, anything with a network connection that ends up in the hands of consumers or businesses in Europe. It passed in 2024, and most of the hard obligations kick in around 2027. The basic idea is reasonable: if you sell a product that can be attacked, you're responsible for making sure it isn't trivially so.
Where it got complicated, and where the open source community spent a lot of energy pushing back on early drafts, was around liability. Initially, the language was broad enough that it could have touched individual open source developers or projects with no commercial intent whatsoever. That would have been, to put it mildly, a disaster for the ecosystem.
The final version made an important distinction. Open source software developed and distributed outside of commercial activity is largely exempt. If you're maintaining a project on your own time, not getting paid, and not embedding it in a product you're selling then you're mostly fine. The obligations fall on the companies commercializing it. That distinction sounds clean on paper. In practice, it creates some interesting pressure.
Here's the dynamic I think we'll start seeing more of. Companies that have been maintaining internal tools like: infrastructure utilities, security tooling, monitoring libraries, are now looking at those tools through a new lens. If this code is embedded in products we sell, we have compliance obligations around it. We have to track vulnerabilities. We have to patch. We have to notify. We have to document.
For a well-resourced team with good processes, that might be manageable. For a lot of companies — especially those whose main business isn't software — it's a significant burden.
So the question comes up: what if we gave this to the Linux Foundation? Or the CNCF, Apache, or Eclipse? What if it became a proper open source project, governed externally, with a community of maintainers?
Suddenly the compliance calculus looks different. The company can still use it, still contribute to it, still shape its direction — but the "commercial product with digital elements" that the CRA is concerned about is no longer theirs in the same way. The liability question gets a lot more nuanced.
I'm not saying this is a clean legal escape hatch — it isn't, and anyone who tells you otherwise is oversimplifying. Companies integrating open source into what they sell still have real obligations. But donating the upstream to a foundation, and using it as a dependency rather than owning it directly, is a meaningfully different position.
This could be a genuine positive for the ecosystem. More code being brought under proper governance, more projects with foundation backing, more resources flowing to the CNCF and similar organizations — these are broadly good outcomes. But there's a harder question underneath it, and the CRA is bringing it into sharper focus whether we like it or not.
Open source has always had an implicit social contract. The short version: if you build a commercial business on top of open source infrastructure, you give something back. Code contributions, obviously, but also, importantly, money. Sponsorships. Employing maintainers. Paying for foundation memberships. The whole system only works if the people and companies extracting value from it also put some value in.
The reality is that this contract has been honored unevenly, to put it generously. There are companies running critical infrastructure on open source projects sustained by a handful of volunteers. The Log4Shell incident a few years back made this concrete: a vulnerability in a library maintained largely by one person in his spare time had cascading effects across the internet.
What the CRA might actually do (and this is the part I find genuinely interesting) is make explicit what was always implicit.
If you're running open source at scale, commercially, you are responsible for understanding what you're running. You need to track what's in your software bill of materials. You need to know when vulnerabilities are disclosed and respond to them. You need a real security posture, not just a "we use open source so we assume someone else handles this" posture.
That's not really different from what responsible companies should have been doing anyway. But having it written into law has a way of clarifying priorities.
And once you accept that — once you accept that running open source at commercial scale is not actually free, it's just that the costs were hidden or externalized — the question of whether to pay for support, fund foundations, or employ maintainers starts to look less like charity and more like obvious self-interest.
I don't think the CRA will solve the open source sustainability problem. Regulation doesn't usually work that way. But I do think it might shift the conversation.
The companies that are smart about this won't just see it as a compliance burden. They'll use it as a forcing function to actually understand their dependencies — what they're running, who maintains it, what the risk profile looks like. Some of them will decide that the right answer is to contribute more seriously, either by giving code to foundations or by supporting the projects they depend on financially. Some will try to find clever structural workarounds. That's human nature.
But for the ecosystem overall, I'd rather have companies being forced to think seriously about their relationship with open source than have everyone continue pretending the whole thing runs on goodwill and nobody needs to pay for anything. The CRA isn't the nudge anyone asked for. But it might be a useful one.