Back in October, three representatives from Joomla! attended the Cyber Resilience Act workshop organised by the Open Website Alliance. Let’s begin with who. 

Who

The Open Website Alliance is a ‘community of communities’ at this time comprising of Joomla, Drupal, Typo3 and Wordpress being the four largest Free and Open Source Content Management Systems. The purpose of the alliance is to promote a free and open web for the benefit of everyone. The president is our very own Maria Skampoura, the president of OSM.

Attending the workshop on behalf of Joomla/OSM were Sigrid Gramlinger - Production Department Coordinator, Richard Gosler - Outreach Department Coordinator and Harald Leithner - Security team and 6.1 release manager.

The workshop was delivered by Hans de Raad of OpenNovations who is an expert in the field of compliance.

When

October 10th, 2025

Where

HTL Rennweg, Vienna. This is a technical school who kindly hosted us.

What

The Open Website Alliance was brought into being as a direct response to the Cyber Resilience Act. The EU Cyber Resilience Act (CRA) is a landmark European Union regulation that establishes mandatory, uniform cybersecurity standards for nearly all hardware and software products with digital elements sold within the EU market. The primary goal is to address the low level of security in many connected devices and software by shifting the responsibility for cybersecurity onto manufacturers throughout a product's entire lifecycle.

The CRA mandates that manufacturers must design, develop, and produce products to meet essential cybersecurity requirements, often following a "security by design" principle. Key obligations include conducting comprehensive cybersecurity risk assessments, providing free and timely security updates for the product's expected lifespan (often a minimum of five years), and ensuring products are sold with a secure-by-default configuration. Additionally, manufacturers must report actively exploited vulnerabilities and severe security incidents to EU authorities within strict 24-hour timeframes. Compliance is indicated by the CE marking, and failure to comply can lead to substantial financial penalties of up to €15 million or 2.5% of worldwide annual turnover.

Why

Or more specifically why should you care? The OWA (Open Website Alliance) has worked with EU legislators to make them understand that Open Source Software is not manufactured by a single entity but in fact, the product of teams of volunteers working collaboratively to create their software. To that end, we understand that there will be carveouts in the legislation for some Open Source products. 

However, there is a risk to you as a designer, developer or integrator. If you take a piece of software, wrap a design around it, add some extensions and host it, guess what: you are the manufacturer of that site/product!

Outcome

Careful wording of your terms and conditions to determine whether you provide a product (within scope) or a service (out of scope) is just one of things that we are working on within the OWA and continuing to liaise with those EU legislators to ensure that those who work with FOSS products are not classed in the same category as Microsoft or Google.

Overall it was an excellent workshop not just from learning about the risks to us from the CRA but also meeting with, and gaining insights from senior leadership members within the other three members of the OWA.