Source: OJ L 2024/2847, 20.11.2024

Current language: EN

Article 25 Security attestation of free and open-source software


Summary What does Article 25 of the CRA regulation say?

This article is a short enabling provision that directly supports the due diligence obligation placed on manufacturers under Article 13(5), specifically those who integrate free and open-source software components into their products.

It empowers the Commission to create, via delegated acts, voluntary security attestation programmes.

These programmes would allow developers, users, or other third parties to assess whether free and open-source software products meet some or all of the essential cybersecurity requirements set out in the regulation.

Important points:

  • The Commission is empowered to adopt delegated acts establishing voluntary security attestation programmes for free and open-source software products.
  • Manufacturers integrating free and open-source software components into their products benefit from this article, as it is designed to ease their due diligence obligations under Article 13(5).
  • Participation in these attestation programmes is voluntary and open to developers, users, and other third parties.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

In order to facilitate the due diligence obligation set out in Article 13(5), in particular as regards manufacturers that integrate free and open-source software components in their products with digital elements, the Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by establishing voluntary security attestation programmes allowing the developers or users of products with digital elements qualifying as free and open-source software as well as other third parties to assess the conformity of such products with all or certain essential cybersecurity requirements or other obligations laid down in this Regulation.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod