[FOSDEM] Call for Participation: CRA in practice @ FOSDEM 2026

Fri Nov 7 14:36:27 UTC 2025

# CRA in practice @ FOSDEM 2026
Over the last few years we talked about the EU Cyber Resilience Act (CRA)
quite a bit, highlighting its importance and raising awareness. Now we have
less than one year until obligations for reporting security vulnerabilities
and cyber incidents begin and less than two years until all the CRA
requirements become mandatory. It's time to move from awareness ("oh no,
regulations") to start actually getting ready
("okay, here's how we actually do this").

This devroom is practical CRA readiness for the FOSS community through open
tooling, automation, documentation, and standards alignment that will make
CRA compliance achievable and benefit everyone: developers, maintainers,
stewards, and manufacturers. Community-driven solutions to regulatory
challenges aim to reduce duplicative work, make compliance accessible for
small projects without dedicated legal teams, keep the tools and data free,
open, and transparent and enable the entire FOSS ecosystem to navigate CRA
together.

If your session helps developers, projects, or organizations move from
awareness to actual readiness, with concrete, open-source solutions, we
want to hear from you. We are looking for talks, panels, even workshops
that help people take practical, developer-friendly actions. Think
demonstrations, case studies, and real experiences, not policy deep-dives
or legal strategy sessions. Specifically, we're interested in:
- FOSS compliance tools in action: Showcasing what exists (OpenSSF Baseline
and Scorecard, security-insights.yaml, SBOM/VEX tooling, etc.), what works,
and where the gaps are
- Open data and standards: Formats, models, and standards for compliance,
security, and supply chain that everyone can use
- Practical approaches: Reusable practices that make compliance achievable
for projects of all sizes, from solo maintainers to large foundations
- Real-world experiences: What FOSS maintainers actually need, what's
working, what's painful
- CRA readiness strategies: Mapping CRA requirements to concrete tools and
workflows, due diligence practices, secure development automation
- Ecosystem support: How stewards and foundations (like Linux Foundation,
Eclipse, or Python Software Foundation) support their communities and what
could be missing
- Global framework alignment: Interoperability with US NIST/CISA, UK
frameworks, ISO/IEC standards and other global cybersecurity initiatives
- Manufacturer Due Diligence: How manufacturers can demonstrate due
diligence when using OSS components

To keep things focused and practical, we're explicitly leaving these topics
to other devrooms and venues:
- European policy analysis or legislative interpretation
- Open source legal strategy or licensing questions
- General CRA policy discussions without case study or technical
implementation
- Deep-dives into SBOMs (there is a separate room for it)

Session Types and Lengths - please indicate your preferred format in your
submission:
- Lightning talks (10 minutes) – quick insights, new ideas, or fast demos
- Standard talks (25 minutes) – deep dives or case studies
- Panel (40 min) – cross-role discussions on a key CRA challenge
- Workshop (40 min) - hands-on demonstration

Important Dates:
- CfP opens: 7th November 2025
- CfP closes: 1st December 2025 (23:59 UTC)
- Notification of acceptance: mid-December 2025
- Devroom at FOSDEM 2026: Saturday, 31st January 2026, Brussels

NOTE: You must be available in person to present your talk.

## How to Submit
To submit a talk follow https://pretalx.fosdem.org/fosdem-2026/cfp, select
**CRA in practice** as the *Track* and ensure you include all the requested
information when submitting a proposal.

Code of Conduct: We'd like to remind all speakers and attendees that all of
the
presentations and discussions in our devroom are held under the
guidelines set forth in the [FOSDEM Code of
Conduct](https://fosdem.org/2026/practical/conduct/) and we expect
everyone attending to follow it.

Would like to volunteer and help onsite or have any questions? Reach out to
organizers.

Organizers’ contacts:
- Roman Zhukov - rzhukov[at]redhat[.]com
- Madalin Neag - mneag[at]contractor[.]linuxfoundation[.]org
- Megan Knight - megan[.]knight[at]arm[.]com
- Philippe Ombredanne - pombredanne[at]aboutcode[.]org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fosdem.org/pipermail/fosdem/attachments/20251107/c25b4f30/attachment-0001.html>