The NLnet Labs foundation is closely following a legislative proposal by the European Commission called the Cyber Resilience Act (CRA), affecting almost all hardware and software offered on the European market. In the nearby future, manufacturers of toasters, ice cream makers and (open-source) software will have something in common: to make their products available on the European market, they will need to affirm their compliance with EU product legislation by affixing the CE marking. We have published background information and our views here: https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/ The current proposal would require developers of open-source software deemed both ‘critical’ and a ‘commercial activity’ to jump through elaborate and potentially costly compliance hoops to make their software available in the EU. What defines a 'critical product' and a 'commercial activity' is key for this discussion. Please get in touch with us if you have concerns or this affects you. Maarten Aertsen <maarten@nlnetlabs.nl> is spearheading this initiative. Kind regards, Alex Band NLnet Labs