Red Hat and the EU Cyber Resilience Act (CRA)

The European Union’s Cyber Resilience Act (CRA) establishes a mandatory cybersecurity framework for products with digital elements. As this legislation moves toward implementation, Red Hat is aligning our mature product security practices with the CRA’s requirements to make sure our customers can rely on a compliant software supply chain that supports their own security and regulatory goals.

Red Hat views the CRA as a milestone for global cybersecurity and a shared opportunity to elevate software trust. We support its core objectives: increasing transparency throughout the product lifecycle, bringing more accountability for software to software manufacturers, and reducing vulnerabilities in hardware and software

Our continued commitment to secure-by-design principles provides you with a resilient starting point–built on our secure development lifecycle–to proactively address core CRA requirements and reduce the compliance burden on your end. With secure engineering at the heart of our portfolio, Red Hat aims to reduce the organization burden and challenges of navigating and adapting to complex new standards.

Red Hat offers a trusted, auditable software supply chain. By combining enterprise-grade automation with verifiable components integrity, Red Hat helps organizations show they’re prepared and acting responsibly.  In this model, compliance is a natural outcome of secure, consistent operations rather than a reactive process. 

As a leader in enterprise open source, our value proposition is simple: We are ready for tomorrow, today. We are not waiting for final enforcement dates to secure our software; we are leveraging our existing security infrastructure and the 25 years of Product Security expertise to provide a trusted security posture for the ecosystem.

As a manufacturer, Red Hat understands the technical challenges of preparing for CRA compliance. As a steward, we understand the impact enterprise compliance can have on open source communities. We invest early to ensure the delivery of high-quality, compliant products when CRA requirements take effect.

We bridge the gap between open source innovation and regulatory security requirements through:

• Secure by design and default: Our secure development lifecycle ensures engineering teams collaborate to create products that directly address regulatory  security requirements through integrated security checks and validations.
• Vulnerability management: Red Hat’s Product Security team provides industry-leading analysis, remediation, and transparent reporting through standard formats like CSAF and VEX.
• Supply chain transparency: We continue to deliver transparency through machine-readable artifacts, providing relevant insights, such as Software Bills of Materials (SBOMs) that align with CRA’s auditability and provenance requirements to support your security management goals.

Red Hat is not just observing the regulatory shift; we are active contributors to the European Standardisation Organisations (ESOs) and other CRA implementing documents. 

We champion 'Open Source-First' security practices within the Eclipse Open Regulatory Compliance (ORC) Working Group and the Open Source Security Foundation (OpenSSF). These efforts make sure cybersecurity mandates reflect the reality of how modern software is actually built and maintained, keeping the supply chain transparent and resilient for everyone.

Red Hat is expanding its responsibility as an open source software steward for critical upstream projects like Fedora and Ansible. Our approach seeks to, where appropriate, go beyond the minimum requirements for stewardship, emphasizing the goal of facilitating security hardening upstream.

We actively influence communities to build with CRA-aligned security practices–meeting them where they are, then strengthening and verifying that foundation through our trusted supply chain. This end-to-end commitment delivers products that are technically innovative, rooted in secure by design principles, transparent and compliant at the source. 

For Red Hat customers, the path to CRA compliance is built on the foundation of our existing relationship. Red Hat proactively aligns its mature secure-by-design lifecycle with CRA mandates, leveraging upstream leadership to shape future standards and engaging directly across communities to accelerate security in open source.

This end-to-end commitment ensures that the path to CRA compliance is built on a foundation of technical innovation and de-risked open source investment, providing a clear path forward in a regulated landscape.

By using Red Hat solutions, you are adopting a security posture that is:

• Trusted: Backed by decades of enterprise security expertise.
• Auditable: Supported by comprehensive security metadata and provenance records.
• Resilient: Designed to adapt and respond to the evolving threat landscape and regulatory environment.