Red Hat's commitment to the EU Cyber Resilience Act: Shaping the future of cybersecurity standards

As our reliance on connected devices and software deepens, the need for robust, transparent, and consistent cybersecurity practices is increasingly critical. The European Union's Cyber Resilience Act (CRA) represents a landmark legislative moment, with the act’s purpose to be “ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product's lifecycle”. This welcomed initiative aims to protect consumers and businesses with products that are secure by design and manufacturers who are transparent about their security practices.

At Red Hat, we believe that a more secure digital future is built on open principles and collaboration. We support the goals of the CRA and are engaged in the critical work of shaping its implementation such as implementing/delegated acts, guidance for open source as well as Harmonized European Standards (hEN), that will underpin this regulation. Our commitment is not just about compliance, it's about using our expertise in open source and enterprise security to help build a more resilient and trustworthy digital ecosystem for everyone.

Deep involvement in European standardisation

The success of the CRA hinges on the development of practical, effective, and widely accepted harmonised standards. These standards will provide manufacturers with a clear framework for meeting the Act's essential requirements. Red Hat is contributing to this process through our participation in key European Standardisation Organisations (ESOs), which the EU Commission mandated to produce these standards.

Our involvement is twofold, addressing both broad, cross-sectoral standards and those specific to the following key technology domains:

• Horizontal standards (CEN/CENELEC): We are an active member of the Committee for Standardization (CEN) and European Committee for Electrotechnical Standardization (CENELEC) Joint Technical Committee 13 Working Group 9 (JTC 13/WG 9) on Cybersecurity and Data Protection. This body is responsible for developing horizontal standards that are expected to be used by manufacturers that develop products across various industries. We contribute to these areas by making secure software development practices practical and clear, helping define foundational principles for vulnerability management and supply chain security that align directly with modern, open source development methods.
• Vertical standards (ETSI): For more specific technology areas that are defined in the CRA as Important and Critical types of products (nb recently published in the OJ last week), we contribute to the European Telecommunications Standards Institute (ETSI). Our experts are particularly involved in the Technical Committee for Cybersecurity (TC CYBER). This includes collaborating on developing security standards for operating systems, hypervisors and container runtimes, and boot managers, among others.

Through these contributions, we share Red Hat’s decades-long expertise as an industry leader in secure software development lifecycle (SSDLC) and vulnerability management, as well as the unique expertise in enhancing the foundational security of products like operating systems. Our work helps incorporate state-of-the-art technology into European harmonised standards which reflect the dynamic, community-driven nature of open source development.

Championing open source in a standardised world

Open source software is the engine of modern innovation, and it forms the backbone of the digital products covered by the CRA. It is imperative that the new EU cybersecurity standards recognize the importance of open source and actively support its principles of transparency, collaboration, and rapid innovation.

Red Hat's commitment extends beyond our participation in these formal standards bodies. We are also a leading contributor to global open source security initiatives, including the Open Source Security Foundation (OpenSSF) and its Global Cyber Policy Working Group. Our OpenSSF work directly informs and strengthens our contributions to EU standardization by:

• Integrating open source principles: We advocate for the recognition of community-vetted, open source best practices within formal standards. This includes promoting the adoption of frameworks like Open Source Project Security Baseline (OSPS), which  encourages maintainers to implement the most effective secure development practices possible.
• Enabling practicality: We work to make sure that standardisation efforts do not create unintended barriers for open source projects and communities. A standard that is impossible for an open source project to meet will accomplish nothing.
• Fostering collaboration: We act as a bridge between the world of formal standardisation and the open source community, fostering a two-way flow of information and expertise. This helps develop standards that are both robust and realistic.

We’re also leading efforts under Eclipse Open Regulatory Compliance (ORC) Working Group as Steering Committee members. This initiative is accumulating and channeling community feedback for the CRA standards. ORC also develops white papers and guidance on CRA standard implementation specifics for maintainers, open source software stewards, and manufactures to encourage effective collaboration, helping them  better understand each other's needs.  We also continue to engage in core European Trade Associations (e.g. Digital Europe, Bitkom, Numeum etc) which represents thousands of European companies to further boost awareness of this important policy file and its relevance to bolstering resilience and open innovation in Europe. 

By also championing open source within the standardisation process, and vice versa, we help create a regulatory environment that fosters practical and actionable security without stifling the innovative nature of open source.

Voices from the front line

Our work is driven by dedicated individuals who are passionate about building more transparent and open standards. Here’s what some of our key contributors have to say:

"We participate in the ETSI Cyber EU standardisation request (EUSR) working group, bringing our deep expertise in operating systems to help craft the new vertical standard supporting the CRA. Our focus is on ensuring this standard is practical, effective, and truly enhances the security of operating systems."

- Marek Haičman and Brian Stinson (ETSI, Operating Systems)

"We are creating specific, industry-focused standards to build a stable and trusted security foundation for virtualization and container technology. The success of these standards depends on broad collaboration, so stable drafts are published for public review and we encourage everyone to contribute their expertise. I recently took on the role of Secretary for the Cyber EUSR to help support and coordinate all of the crucial standardization work required for the CRA within ETSI as Red Hat representative."

- Ozgur Ozonuk (ETSI, Virtualization & Container Execution Stack Vertical)

“Working on traditional industry standardization 'behind closed doors' started as a big challenge for us, upstream-minded people, who used to openly share and collaborate on all the work that we do. However, I’m happy for the level of respect and how fast we’re learning from each other (both sides—open source community and standardization industry) and do our absolute best to overcome challenges, such as enormous time pressure. Harmonized horizontal standards should take in account so many things like regulation, industry best practices, and be applicable to organizations of all sizes—from big corporations to small and medium businesses, and, of course, specifics of open source development. I’m proud to help navigate these complexities and see that now we are very close to this balance as almost all 4 horizontal standards reached a good level of maturity”.

- Roman Zhukov (CEN/CENELEC, WG9 member)

Conclusion: Building a more secure future together

Red Hat’s commitment to the EU CRA is a core part of our mission to build better technology the open source way. Through our active participation in CEN/CENELEC and ETSI, and our leadership in communities like OpenSSF and Eclipse, and European Trade Associations we are helping the future of cybersecurity standards be open, collaborative, and actionable.

Harmonized standards will create a level playing field, foster customer trust, and raise the bar for security across the entire market. However, this is not a task for one company alone. We call upon our partners, customers, and peers across the industry to engage in this critical work - both in terms of upstream contribution to improve open source tooling and best practice as well as standardisation and related technical specification development and wider public policy advocacy (e.g. not only CRA implementation but other related files such as the review of 1025/2012, NLF, Public Procurement as well as Cyber Security Act). Whether by contributing to open source security projects or directly participating in the standardization process or public policy advocacy, collective action is essential.

Together, we can shape a digital future that is not only innovative but also fundamentally more resilient and with a stronger underlying level of security.