No UK support scheme for open source maintainers facing EU Cyber Resilience Act obligations

openclaimed ·shipped ·
What is missing

The EU Cyber Resilience Act creates obligations for manufacturers and a novel 'open-source software steward' category, phasing in through 2026-27; UK-based foundations, SMEs and maintainers whose software reaches the EU market must comply regardless of Brexit. The UK's own Cyber Security and Resilience Bill (report stage June 2026) focuses on NIS-regulated sectors and makes no equivalent provision for open source stewardship, and DSIT's Software Security Code of Practice (2025) is voluntary and generic. EU communities get guidance through OSS foundations' CRA workstreams (Linux Foundation Europe, Eclipse), but there is no UK-facing help, and small UK maintainers are least equipped to interpret extraterritorial product law.

Why it matters

The UK hosts Europe's largest open source contributor base; if CRA compliance is left to individuals, projects will geofence the EU, relocate governance, or abandon maintenance, eroding exactly the sovereign capability other gaps aim to build.

What would fill it

A DSIT/NCSC CRA-readiness programme: plain-English guidance for UK maintainers and stewards, small tooling grants for compliance artefacts (SBOMs, security attestations), and a UK 'steward' concept in future secondary legislation to keep UK-EU interoperability.

// Build now: First artefact: plain-English CRA guidance plus philanthropic tooling grants; statutory UK steward concept is the later end-state.

Why urgency 3

CRA obligations phase in through 2026-27 with no UK-facing help, so leaving compliance to individual maintainers risks EU geofencing or relocation during a live legislative window.

ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.

More in Open source & public goods

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2027-01-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.