Introduction

The purpose of this survey is to understand the challenges and needs faced by FOSS communities in complying with the EU Cyber Resilience Act (CRA).
FOSS contributors play a dual role: ensuring compliance for their tools/components and supporting SMEs through open-source solutions. Your responses will help us develop practical tools and resources to meet these challenges.

Learn more about the OCCTET project: https://occtet.eu/

DISCLAIMER:

Your responses will be used solely for research and analysis purposes to develop tools and resources supporting SME compliance with the CRA. All responses will be handled in compliance with the privacy policies of the Eclipse Foundation and the OCCTET project. No personal or identifiable information will be shared.

Consent Statement

I agree to the processing of my survey responses for research and analysis purposes, in compliance with the privacy policies of the Eclipse Foundation and the OCCTET project.

Allow me to be contacted by the OCCTET project if needed.

Contact email

Section 1: Participant Information

What is your role in the FOSS community? *

Which FOSS projects are you involved in, and in what capacity? *

Location(s) of operation:

Do you develop or maintain open-source tools or components used in products with digital elements? *

Yes

No

Unsure

FOSS tools integrated into such products are subject to CRA requirements, especially regarding cybersecurity.

Are these tools or components placed on the EU market as part of a product? *

Yes

No

Unsure

This determines whether the CRA directly applies to your contributions

What types of open-source tools or components do you work on? *

Section 2: Awareness and Readiness for CRA

How familiar are you with the Cyber Resilience Act (CRA)? *

Not familiar at all

Somewhat familiar

Very familiar

Do you consider CRA compliance when developing your tools/components? *

Yes

No

Not Sure

Compliance considerations could include secure design, lifecycle support, and clear documentation for users.

Have you made any changes to your development practices in response to CRA requirements? *

Yes

No

Planning to do so

(Examples of changes: adding security testing processes, improving vulnerability tracking, or documenting cybersecurity measures.)

Section 3: Compliance of FOSS Tools (CRA Article 10)

CRA Article 10 applies to FOSS components integrated into products with digital elements. Manufacturers using these components must ensure they do not compromise cybersecurity.

What challenges do you face in ensuring your tools or components meet CRA requirements? (Select all that apply) *

Lack of clear guidelines for open-source compliance

Difficulty in tracking vulnerabilities in dependencies

Limited resources for security testing

Uncertainty about CRA applicability to open-source tools

Other

If you selected 'Other' in the previous question, please specify.

Do you conduct cybersecurity risk assessments for your tools/components? *

Yes

No

Not sure

What tools or practices do you currently use to enhance cybersecurity in your open-source contributions?

Do you publish documentation for your tools/components to support CRA compliance? *

Yes

No

Planning to do so

Documentation might include usage instructions, known vulnerabilities, or secure configuration guidelines.

What additional support would help you ensure your tools/components comply with CRA requirements?

Section 4: Supporting FOSS Community with CRA Compliance

Many SMEs rely on open-source tools to comply with the CRA, such as SBOM generators, vulnerability scanners, or secure coding libraries. FOSS contributors can play a key role in simplifying CRA compliance for SMEs.

Are you currently developing tools or resources to help SMEs comply with CRA requirements? *

Yes

No

Planning to do so

Do you have a formal vulnerability disclosure and incident response process? *

Yes

No

Planning to do so

Are vulnerabilities reported and managed according to Coordinated Vulnerability Disclosure (CVD) principles? *

Yes

No

Planning to do so

What features or functionalities do you prioritize in these tools to support SMEs?

What feedback or input from SMEs would help you design better compliance tools?

What challenges do you face in creating tools or resources for SMEs?

Section 5: Documentation and Transparency (CRA Article 10(3))

CRA Article 10(3) requires documentation of cybersecurity measures, including secure use instructions and lifecycle support information.

Do you currently provide documentation to users about the cybersecurity features of your tools/components? *

Yes

No

Planning to do so

What type of documentation would help SMEs better understand and use your tools for CRA compliance? (Select all that apply) *

If you selected 'Other' in the previous question, please specify.

Do you conduct cybersecurity training for contributors? *

Yes

No

Planning to do so

Section 6: Compliance and Standards

Which cybersecurity standards does your community comply with? (Select all that apply) *

If you selected 'Other' in the previous question, please specify.

Have you conducted a self-assessment against CRA requirements? *

Yes

No

Planning to do so

Not sure

Section 7: If you are a steward

What do you need from the open source developers?

What do you need to prove to the manufacturers that the open source components fulfil the requirements?

Are there any requirements that you fear you will not be able to fulfil as a steward?

Section 8: Recommendations

What additional tools, training, or resources would help you ensure CRA compliance for your open-source contributions?

If you could receive one type of support to simplify CRA compliance for your contributions, what would it be?

Thank you for completing this survey!

Your insights are invaluable in creating resources and tools to support the FOSS community and SMEs in navigating CRA compliance. If you'd like to receive updates on the outcomes of this survey or access to compliance resources, please ensure providing your email address.

Framaforms

Shaping CRA Compliance for the FOSS Ecosystem

Début : 1 / 2

Introduction

DISCLAIMER:

Section 1: Participant Information

Section 2: Awareness and Readiness for CRA

Section 3: Compliance of FOSS Tools (CRA Article 10)

Section 4: Supporting FOSS Community with CRA Compliance

Section 5: Documentation and Transparency (CRA Article 10(3))

Section 6: Compliance and Standards

Section 7: If you are a steward

Section 8: Recommendations

Contacter l'auteur⋅rice de ce formulaire

Propulsé par Yakforms