Two FOSDEM talks on the CRA, from opposite sides of the table

Two FOSDEM 2026 talks on the Cyber Resilience Act caught my attention when I watched the recordings. One came from two German IT lawyers - Anika Niemann and Florian Hackel - who spent twenty minutes walking an audience of open source developers through how to think about CRA compliance from a manufacturer’s perspective. The other came from the European Commission itself, joined on stage by representatives from CEN-CENELEC, ETSI, and the German BSI. ...

May 15, 2026 · 7 min · Javier Tia

Auditing your Yocto build for CRA compliance

TL;DR CRA is a process and design regulation; the risk analysis is the central document and the technical file is the evidence the regulator audits, not a scanner-selection problem. Yocto already emits the build-derivable half: SBOM (create-spdx), CVE scans, license manifests, signing posture. The vendor-committed half - CVD policy, support period, update mechanism, Declaration of Conformity - has to be written by hand. shipcheck reads a Yocto build plus product.yaml, pivots findings by CRA Annex, and drafts your Annex VII technical file and DoC. The received wisdom is wrong Read any CRA compliance article from a security vendor and you will see the same shape of pitch: run a scanner, triage the CVEs, generate an SBOM, ship. The regulation becomes a scanner-selection problem, and whichever product the vendor sells happens to be the right scanner. ...

April 24, 2026 · 12 min · Javier Tia · Updated: April 29, 2026