Skip to main content

ORC Learning Hub: Introduction to the Cyber Resilience Act for open source communities

ORC
Enroll Now

About This Course

The EU Cyber Resilience Act (CRA) establishes cybersecurity requirements for products with digital elements, with important implications for open source software projects, maintainers, foundations, and commercial manufacturers.

Participants will gain a clear understanding of the CRA’s scope, objectives, and timeline, including how the regulation defines economic operators (manufacturers, importers, distributors) and where open source projects and foundations may fit within that framework. The session will explore essential cybersecurity requirements, conformity assessments, CE marking, technical documentation obligations, vulnerability handling processes, coordinated disclosure, and the role of Software Bills of Materials (SBOMs).

  • We will also address key questions for open source communities:
  • When does open source fall within scope?
  • What is the role of an Open Source Steward?
  • How do commercial and non-commercial activities differ under the regulation?
  • What practical steps can projects take today to prepare?

Requirements

This course is designed for anyone currently navigating the world of Open Source. If you know the basics of open-source collaboration and are curious about how emerging regulations like the CRA will shape the future of the software supply chain, you are in the right place.

Course Staff

Olle E. Johansson

Olle E. Johansson (oej) is a consultant in the area of real-time communication, application security and embedded system security. He has been active in Open Source for many years as a developer, evangelist, trainer, and speaker in many conferences worldwide. Olle is a member of the OWASP SBOM Forum and the OWASP CycloneDX industry working group. He is currently working on the CycloneDX Transparency Exchange API standard (Koala). He is actively participating in ECLIPSE ORCWG and the OpenSSF. From 2026, Olle is representing OWASP in the ORCWG steering committee. As an invited expert, he contributes in ECMA International TC54 that works with software and systems transparency – including OWASP CycloneDX, package URL (PURL) and the Transparency Exchange API (TEA).
In the past, Olle was an active core developer in the Asterisk.org project, co-founder of the Astricon conference and creator of the Asterisk certifications and trainings. He has been a contributor to the Kamailio.org open source SIP proxy for many years and still run many in-house trainings and workshops in SIP and Kamailio.
During 2024 Olle launched SBOMEUROPE.EU together with Anthony Harrison from APH10 in Manchester, UK. Together, they publish white papers, videos on Youtube and during 2025 launching training classes, workshops and expert consultancy for risk management, application security and CRA compliance.
Olle is also a project leader for the Swedish DNS TAPIR project that is building Open Source software for analysing DNS resolver logs and finding bad actors.
Olle is the founder and CEO of Edvina AB, founded in 1987.

Frequently Asked Questions

What web browser should I use?

The Open edX platform works best with current versions of Chrome, Edge, Firefox, or Safari.

See our list of supported browsers for the most up-to-date information.

Course Summary

  1. Course Number

    LH 101

  2. Classes Start

Enroll