The EU Cyber Resilience Act (CRA) was designed to protect European consumers, but its global implications have left many in the open source community - especially individual contributors and maintainers - feeling confused or even afraid. While most discussions focus on the obligations of Manufacturers or Open Source Stewards, individual contributors are often left asking: "Will I be liable? Should I stop contributing?"

We will start this session with a short presentation, but most of the time will be dedicated to answering your questions (AMA - Ask Me Anything), taking whiteboard and brainstorming on your case studies and the CRA roles that might be applicable to you, your organization, your open source projects or your community. We will focus specifically on SW developers, contributors and maintainers and show that the regulations are manageable. There are no “stupid” questions about the CRA as it’s the most complex and impactful regulation that the open source. We got your back.

By 2026, the regulatory landscape for tech industry has fundamentally shifted, with unprecedented implications to open source. From the EU Cyber Resilience Act (CRA) to "Digital Sovereignty" - these terms rightfully sound like the antithesis of the open values. But the story of the last 2-3 years isn't one of defeat. It’s a story of how the open source community "debugged" the law.

In this talk we reveal how engineers entered the negotiation rooms to fix critical bugs in the legislation and standards. We will look at the technical reality behind the CRA Open Source victory, translating "Secure by Design" for open source directly into European Standards. We will also reframe Digital Sovereignty into the real engineering values of innovating resilience, quality and security that comes from transparency and freedom that only open source can offer.

Join us to see how we turn regulation from a blocker into a feature, ensuring the "Open Source Way" remains the standard for innovation.