Assess & Review potential Cyber Resilience Act (CRA) requirements #5360

New Issue

OVERLORD · 2026-02-05T10:00:12+03:00

OVERLORD commented

2026-02-05 10:00:12 +03:00

Originally created by @ssddanbrown on GitHub (Jul 15, 2025).

Description

Assess/review our relation/involvement/requirements with the Cyber Resilience Act.

Timelines

Full CRA requirements apply from December 2027
Reporting requirements from September 2026.

Applicability

I'm personally not in the EU (now) but there's heavy BookStack use in the EU, including from support service customers and sponsors. There are specific allowances to avoid open source being subject to the CRA, but it looks like those won't apply here since there's specific profitable activity taking place (support services, donations etc...) related to the software.

This is also a related UK based "Cyber Security and Resilience Bill" to be announced which may overlap.

Todo

Attempt to read the actual act.
Review OSSF cybersec requirements checklist.
Watch FOSDEM video

Completed Actions

Been through & completed the Linux Foundation course. Was mainly high-level stuff.

Considerations

Am I now personally liable? Project is kind of with me personally (trademark, sponsorships). Might need to think about organisation in respect to BookStack and if a different org structure is needed here.

Resources

Originally created by @ssddanbrown on GitHub (Jul 15, 2025). ### Description Assess/review our relation/involvement/requirements with the [Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act). ### Timelines - Full CRA requirements apply from December 2027 - Reporting requirements from September 2026. ### Applicability I'm personally not in the EU (now) but there's heavy BookStack use in the EU, including from support service customers and sponsors. There are specific allowances to avoid open source being subject to the CRA, but it looks like those won't apply here since there's specific profitable activity taking place (support services, donations etc...) related to the software. This is also a related UK based "Cyber Security and Resilience Bill" to be announced which may overlap. ### Todo - Attempt to [read the actual act](https://eur-lex.europa.eu/eli/reg/2024/2847/oj). - Review OSSF cybersec [requirements checklist](https://github.com/ossf/wg-globalcyberpolicy/blob/main/documents/CRA/checklists/PSIRT_Obligations_Checklist.md). - Watch [FOSDEM video](https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3683-the-regulators-are-coming-one-year-on/) ### Completed Actions - Been through & completed the Linux Foundation course. Was mainly high-level stuff. ### Considerations - Am I now personally liable? Project is kind of with me personally (trademark, sponsorships). Might need to think about organisation in respect to BookStack and if a different org structure is needed here. ### Resources - [EU Page](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) - [Guidance in simpler language](https://www.cyberresilienceact.eu/) - [Free Linux Foundation Course](https://training.linuxfoundation.org/express-learning/understanding-the-eu-cyber-resilience-act-cra-lfel1001/#) - [OSSF requirements checklist](https://github.com/ossf/wg-globalcyberpolicy/blob/main/documents/CRA/checklists/PSIRT_Obligations_Checklist.md) - [FOSDEM video](https://archive.fosdem.org/2024/schedule/event/fosdem-2024-3683-the-regulators-are-coming-one-year-on/)

OVERLORD added the :octocat: Admin/Meta 🔒 Security labels 2026-02-05 10:00:12 +03:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5360