No UK support scheme for open source maintainers facing EU Cyber Resilience Act obligations
The EU Cyber Resilience Act creates obligations for manufacturers and a novel 'open-source software steward' category, phasing in through 2026-27; UK-based foundations, SMEs and maintainers whose software reaches the EU market must comply regardless of Brexit. The UK's own Cyber Security and Resilience Bill (report stage June 2026) focuses on NIS-regulated sectors and makes no equivalent provision for open source stewardship, and DSIT's Software Security Code of Practice (2025) is voluntary and generic. EU communities get guidance through OSS foundations' CRA workstreams (Linux Foundation Europe, Eclipse), but there is no UK-facing help, and small UK maintainers are least equipped to interpret extraterritorial product law.
The UK hosts Europe's largest open source contributor base; if CRA compliance is left to individuals, projects will geofence the EU, relocate governance, or abandon maintenance, eroding exactly the sovereign capability other gaps aim to build.
A DSIT/NCSC CRA-readiness programme: plain-English guidance for UK maintainers and stewards, small tooling grants for compliance artefacts (SBOMs, security attestations), and a UK 'steward' concept in future secondary legislation to keep UK-EU interoperability.
// Build now: First artefact: plain-English CRA guidance plus philanthropic tooling grants; statutory UK steward concept is the later end-state.
CRA obligations phase in through 2026-27 with no UK-facing help, so leaving compliance to individual maintainers risks EU geofencing or relocation during a live legislative window.