Episode 224

Ciarán O’Riordan on the EU's Cyber Resiliency Act


March 15th, 2024

39 mins 30 secs

Your Hosts
Special Guest

About this Episode


Ciarán O’Riordan


Richard Littauer | Leslie Hawthorne

Show Notes

In this episode, host Richard Littauer and co-host Leslie Hawthorne engage with Ciarán O’Riordan, Senior Policy Advisor from Open Forum Europe (OFE), diving into the intricacies of the Cyber Resiliency Act (CRA) and its implications for the Free and Open Source Software (FOSS) community. Ciarán shares his journey from software development to policy advocacy, emphasizing the critical role of policy work in shaping the future of open source. He provides an in-depth analysis of the CRA, highlighting concerns about its initial draft, the involvement of the FOSS community in shaping its final form, and the potential challenges and opportunities it presents. The discussion also touches on other significant legislative developments in Europe, such as the Product Liability Directive and the AI Act, and their potential effects on open source software. Press download now to hear more!

[00:01:25] Ciarán explains how he became a Senior Policy Advisor, his passion for policy work, tracing his journey from a software developer in Dublin to his 20-year career in Brussels focusing on policy advocacy, including his recent position at OFE.

[00:06:08] Leslie asks Ciarán for a summary of the Cyber Resilience Act (CRA) and its specific implications for the free and open source software ecosystem. Ciarán contrasts the initial and final versions of the CR, detailing the changes made, the lightened obligations for free and open source software, and the ongoing compliance challenges for commercial distributions.

[00:11:02] Leslie inquires how software foundation’s responsible for producing commercialized software are impacted by the Cyber Resilience Act. Ciarán explains that the final version of the Act introduces a new category called “Open Source Stewards” for entities like software foundations, which have a reduced set of obligations without fines. He also mentions the timeline for the CRA, stating in will come into force around summertime 2027, after being officially signed.

[00:16:09] Richard asks about the CRA’s impact on individual non-European developers, like himself, who have repositories on platforms like GitHub or GitLab. Ciarán responds that the specifics of how the CRA will affect such developers will become clear once the standards are developed.

[00:17:55] Ciarán clarifies the role of software foundations is to provide services or procedures for compliance, which may vary across different foundations.

[00:19:36] Richard wonders who benefits from this Act, and Ciarán discusses the justification for the CRA, which is cost-based, comparing the cybersecurity costs with compliance costs.

[00:21:31] Leslie asks about the process of creating standards for CRA compliance and how average FOSS developers can influence these standards and questions the best ways for FOSS developers to get involved in influencing the outcomes beneficial to the FOSS ecosystem. Ciarán notes that working on standards and policy is complex and compares it to contributing to software development on short notice.

[00:26:07] Ciarán discusses OFE’s multi-layered structure and the FOSS community list, which serves as a base for information sharing and connection.

[00:27:24] Richard questions the impact CRA on individual developers with numerous dependencies in their projects. Ciarán reassures that there is no immediate cause for panic as the CRA will not come into force until summer 2027 and many details will be clarified in the coming years.

[00:28:39] Leslie shifts the discussion the Product Liability Directive (PLD) and its relevance to the FOSS ecosystem and Ciarán goes in depth about it.

[00:33:36] Find out where you can learn more about Ciarán and OFE on the web.


[00:04:58] “We’d love to have better cyber security, especially if it just falls from the sky.”

[00:22:31] “Working on standards and policy in general is about as complex as working on software development.”

[00:24:00] “In terms of getting involved, two important things: First is getting in contact with other people, and the second is the need to do some work on your own initiative without having been brought into some of these groups.”


  • [00:35:35] Leslie’s spotlight is the Open Source in The European Legislative Landscape devroom.
  • [00:35:59] Richard’s spotlight is the book, “Better Living Through Birding.”
  • [00:36:42] Ciarán’s spotlight is two books: “Thy Neighbour’s Wife” and “The Life Show.”



Support Sustain