What has (can) the EU Cyber Resilience Act done (do) for you?

欧盟《网络韧性法案》为你做了（能为你做）什么？

The European Union Cyber Resilience Act (CRA) and its various international analogs are entering fully into force during 2026 and 2027, with new legal requirements that some have found to be perilous or challenging to software developers and possibly for open source developers in particular. Some have predicted this legislation will be the end of open source software and the end of the world as we know it. In the present article, we will show that this is far from the case. 欧盟《网络韧性法案》（CRA）及其各类国际同类法规正在 2026 年至 2027 年间全面生效。其中包含的新法律要求被一些人认为对软件开发者，尤其是开源开发者而言，是危险或充满挑战的。有人预言这项立法将终结开源软件，甚至终结我们所知的世界。在本文中，我们将证明事实远非如此。

Yes, It’s Later Than You Think

是的，时间比你想象的更紧迫

As we have mentioned in several earlier articles and presentations, on December 12, 2027, it’s already too late. The day before, the European Union Cyber Resilience Act (CRA) will have fully entered into force. On December 11, 2027, the Cyber Resilience Act is fully in force in the European Union member states and associated countries and territories. From that date onward, suppliers of any “product with digital elements” are required to present those products along with a full overview and insight into all components and dependencies that went into making that product. 正如我们在之前的几篇文章和演讲中所提到的，到 2027 年 12 月 12 日，一切都已太迟了。因为就在前一天，欧盟《网络韧性法案》（CRA）将全面生效。2027 年 12 月 11 日，CRA 将在欧盟成员国及相关国家和地区全面实施。从那天起，任何“数字化要素产品”的供应商都必须在提供产品的同时，完整披露并深入说明构成该产品的所有组件及依赖项。

Unless, of course, you are a supplier that is fine with being considered at best second rate, or even being ineligible for lucrative contracts. Selling product that has not qualified for the CE mark for its product category will simply not do. The European timeline for phased implementation of the CRA is outlined here. 当然，除非你是一个甘愿被视为二流，甚至失去竞标高额合同资格的供应商。销售未获得其产品类别 CE 认证的产品将行不通。欧盟关于 CRA 分阶段实施的时间表已在此处列出。

The European Union Sets the Standard From Here On

欧盟从此确立了标准

The European Union Cyber Resilience Act is part of an expanding body of legislation, which includes General Data Protection Regulation (GDPR), Regulation of the Digital Operational Resilience of the Financial Sector (DORA), and Directive on Network and Information Systems (NIS2), that regulates information technology and products with digital elements in the European Union, associated states and territories. The underlying motivation is to ensure the safety, wellbeing and civil rights of inhabitants of the EU, associated states and territories. It is important to keep this in mind as the basic driver behind the regulation. 欧盟《网络韧性法案》是一系列不断扩大的立法体系的一部分，该体系还包括《通用数据保护条例》（GDPR）、《数字运营韧性法案》（DORA）和《网络与信息系统指令》（NIS2），旨在监管欧盟及相关国家和地区的各类信息技术和数字化要素产品。其根本动机是确保欧盟及相关国家和地区居民的安全、福祉和公民权利。必须牢记，这是该法规背后的基本驱动力。

In the area of cyber security and digital resilience, for a long time the specification and standardization work was fairly well in sync between the European and US efforts for all the obvious reasons. Early on, the USA was the first to enact formal legislation for the subject area in the form of the US Executive Order 14028 of May 12, 2021, Improving the Nation’s Cybersecurity, and the EU finally enacted their version of the legislation as the EU Cyber Resilience Act (CRA) in 2024. 在网络安全和数字韧性领域，出于显而易见的原因，长期以来欧洲和美国的规范与标准化工作一直保持着良好的同步。起初，美国率先通过 2021 年 5 月 12 日发布的第 14028 号行政令《改善国家网络安全》制定了该领域的正式法规，而欧盟最终在 2024 年颁布了其版本的立法，即欧盟《网络韧性法案》（CRA）。

However, it took the second Trump administration one year and nine days to rescind the US Executive Order 14028, leaving the specifications and emerging standards as optional only for projects and procurement under federal authorities of the United States. The European Union, on the other hand, has not let up its efforts. This means that going forward, it is the European Union Cyber Resilience Act (CRA) that defines the parameters for those of us who develop products with digital elements (PDEs) intended for any international market that includes the European Union and associated states and territories. 然而，特朗普第二届政府仅用了一年零九天就废除了美国第 14028 号行政令，使得这些规范和新兴标准仅在美国联邦政府的项目和采购中作为可选要求。另一方面，欧盟并未放缓其步伐。这意味着展望未来，对于我们这些开发面向包括欧盟及相关国家和地区在内的国际市场的数字化要素产品（PDEs）的开发者来说，欧盟《网络韧性法案》（CRA）将定义相关参数。

Manufacturers, Stewards and Developers

制造商、管理者与开发者

Under the CRA, people and organizations that are involved in producing or marketing products with digital elements can be classified into several categories. For contexts where open source software plays a role, the roles that are of the most interest are: 根据 CRA，参与生产或销售数字化要素产品的个人和组织可分为几类。在开源软件发挥作用的背景下，最值得关注的角色包括：

• Manufacturers (制造商): Businesses that put products on the market to be available in the EU, defined as a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge (from CRA article 3 (13)). Crucially, the context here is that these activities are part of commercial activity (CRA Article 3(22)). 制造商： 将产品投放欧盟市场的企业。定义为开发或制造数字化要素产品，或委托他人设计、开发、制造，并以自身名义或商标进行销售的自然人或法人，无论是否收费、盈利或免费（摘自 CRA 第 3 条第 13 款）。关键在于，此处的背景是这些活动属于商业活动范畴（CRA 第 3 条第 22 款）。

• Open Source Stewards (开源管理者): Organizations that coordinate open source projects, typically foundations (not-for-profit corporations), defined as a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements. 开源管理者： 协调开源项目的组织，通常为基金会（非营利性公司）。定义为除制造商以外的法人，其宗旨或目标是为特定数字化要素产品的开发提供持续、系统的支持。