Cyber Resilience Act

Astart

Hello all,

My question is quite simple and not a technical one (I hope it still belongs here): Does the Cyber Resilience Act (CRA) apply to Code_Aster?

Unfortunately, being open source is not enough to guarantee that CRA does not apply. The issue is more complex than that.

Regards,
Laurent

mf

Astart
Hello,
very interesting question! I doesn't seem that way, why this author thinks this is good, is beyond me. He is probably not very bright:

https://openssf.org/blog/2025/07/15/new-cyber-resilience-act-cra-brief-guide-for-oss-developers/

The good news is that in many cases the CRA does not apply to OSS.

In this pdf https://ec.europa.eu/newsroom/dae/redirection/document/122331 it says anyone using OSS should do his/her own due diligence, whatever that means:

Manufacturers are allowed to integrate open-source components that are not in scope of
the CRA (i.e. because they are not made available on the market in the course of a
commercial activity), as well as open-source components that are published by an open-
source software steward.......
The risk assessment of the product with digital elements also informs
the appropriate level of due diligence.

So CRA will perhaps make commercial software more secure and OSS more vulnerable?? Crazy!

Mario.

Astart

mf My understanding is that a due diligence is an investigation requested to a third party to insure that the risk is taken into account. This is a legal term that is used in the CRA text.

mf

Astart
Yes, but it's quite generic. It could be anything.

Fab@simvia

Dear Astart and Code_Aster users,

While Code_Aster remains open-source software maintained by EDF, Simvia’s commercial support, training, and development services around it bring certain activities under the scope of the EU Cyber Resilience Act (CRA).

As clarified by the European Commission, only non-commercial open-source software is exempt from CRA obligations:
https://digital-strategy.ec.europa.eu/en/policies/cra-open-source

Simvia, with the support of EDF, is taking all necessary steps to ensure compliance with CRA requirements from partial application in 2026 to full enforcement in December 2027. We will keep the community informed of our progress.
Fabien

Astart

Fab@simvia Thanks a lot for this information. From my POV, this settles the question.