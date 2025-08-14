BRUSSELS, Aug. 14, 2025 (GLOBE NEWSWIRE) -- The Open Regulatory Compliance (ORC) Working Group, a pioneering initiative hosted by the Eclipse Foundation to help developers, enterprises, industries, and open source foundations navigate evolving regulatory frameworks, today announced that its first major deliverable aimed at helping organisations that rely on open source software to comply with the recently enacted Cyber Resilience Act (CRA) is ready for community review. In parallel, the group continues to grow rapidly, including the addition of Microsoft and Red Hat as Strategic Members, alongside ekxide, GitHub, Google, and Open Source Matters.

To assist open source stakeholders in navigating evolving regulatory compliance, the ORC Working Group has prepared an inventory of resources relevant to CRA compliance. This includes a collection of specifications, best practices, and reference materials aimed at developers, maintainers, manufacturers, and foundations that rely on open source software. In addition, the ORC has released its deliverables plan , a community-driven roadmap for additional content and materials to support the open source ecosystem as they work to meet CRA compliance obligations.

“The ORC community is delivering exactly what the industry needs right now: practical resources to help organisations that rely on open source better understand and prepare for the Cyber Resilience Act,” said Mike Milinkovich, executive director of the Eclipse Foundation. “This initial inventory reflects the community’s commitment to delivering real-world resources that help companies navigate CRA requirements. It helps demystify compliance and showcases how open source stakeholders are addressing cybersecurity regulation in meaningful ways. We are proud to support this growing initiative and its mission to keep open source strong in a more regulated world.”

The CRA introduces mandatory cybersecurity and vulnerability management requirements for digital products marketed in the European Union, including software. It applies to manufacturers, software vendors, and open source software stewards, who are now expected to ensure secure development practices and transparent vulnerability handling across increasingly complex software supply chains.

With open source software estimated to make up as much as 96% of all commercial software ( Harvard Business School, March 2024 ), CRA compliance presents a unique challenge for organisations that integrate open source components developed and maintained by decentralised communities. ORC’s mission is to address these challenges with practical, shared solutions that sustain open source innovation in a regulated world.

Since its launch, ORC has grown to more than 50 members, including leading open source foundations and global technology companies such as Nokia, Mercedes-Benz, and now Microsoft, Red Hat, GitHub, and Google. The working group operates under the Eclipse Foundation’s vendor-neutral governance, and benefits from the Foundation’s formal liaison status with the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC), and its active participation in the European Telecommunication Standards Institute (ETSI), and the European Commission’s CRA Expert Group. This enables ORC to represent open source perspectives in regulatory and standards development discussions across Europe.

The ORC Working Group invites contributors, organisations, and all stakeholders to get involved in shaping the future of open source compliance. Learn more and access the resources at orcwg.org or visit the CRA Hub .

Member Quotes

Microsoft

“The Eclipse Foundation is a key organisation in the EU working with regulators on practical resources, best practices, and open specifications that enable regulatory compliance while safeguarding the vitality of open source innovation,” said Mark Russinovich, CTO, Deputy CISO, and Technical Fellow, Microsoft Azure. “Microsoft is joining the Open Regulatory Compliance Working Group to share our experience and work with our partners and peers for the benefit of all stakeholders.”

Nokia

“Nokia is a founding strategic member of the ORC Working Group and is fully committed to supporting these initiatives. We are very happy to see the progress in bringing together a critical mass of the open source community to help navigate the various implications the Cyber Resilience Act will have on open source, and to those involved,” said Timo Perala, Head of Open Source Service and Network Automation at Nokia and ORC co-chair. “It is with pleasure and excitement that we welcome the Inventory of Resources, the first ORC deliverable, and we look forward to the numerous planned deliverables to come.”

Red Hat

“The release of these initial resources from the ORC Working Group is a critical step forward for the open source community in addressing the complexities of the Cyber Resilience Act,” said Roman Zhukov, Security Communities Lead at Red Hat Open Source Program Office. “At Red Hat, we are committed to fostering an environment where open source innovation can thrive, and these practical tools will be invaluable for organisations navigating their compliance journeys. We believe this collaborative effort will contribute to a strong, resilient software supply chain for everyone.”

ekxide

"As a young company rooted in open source, being part of the ORC Working Group gives us the opportunity to collaborate with global industry leaders and take part in shaping the future of open source. We're especially proud to represent young and smaller companies and the challenges they face with the CRA," said Mathias Kraus, Co-CEO of ekxide. "We believe that open collaboration drives real innovation and we're eager to grow, share, and build alongside such a committed network."

GitHub

“With the ORC Working Group, the Eclipse Foundation has pulled off the challenging task of getting the incredibly diverse open source community to speak with one voice in Brussels - and in a language that regulators can understand,” said Mike Linksvayer, VP Developer Policy at GitHub. “GitHub is joining the ORC Working Group to support its mission of making the EU Cyber Resilience Act work for open source developers and educating the community about regulatory changes."

About the ORC Working Group

The Open Regulatory Compliance Working Group (ORC WG) brings together prominent open source foundations, leading global enterprises, and industry stakeholders to address the growing impact of software regulations on open source. With over 50 members and growing, ORC develops best practices, specifications, and practical resources to help organisations navigate evolving regulatory requirements. Its initial focus is on the European Cyber Resilience Act (CRA), while supporting the long-term security, sustainability, and adoption of open source innovation worldwide. For more information, visit orcwg.org .

About the Eclipse Foundation

The Eclipse Foundation provides our global community of individuals and organisations with a business-friendly environment for open source software collaboration and innovation. We host the Eclipse IDE, Adoptium, Software Defined Vehicle, Jakarta EE, Open VSX, and over 400 open source projects, including runtimes, tools, registries, specifications, and frameworks for cloud and edge applications, IoT, AI, automotive, systems engineering, open processor designs, and many others. Headquartered in Brussels, Belgium, the Eclipse Foundation is an international non-profit association supported by over 300 members. To learn more, follow us on social media @EclipseFdn , LinkedIn , or visit eclipse.org .

