Cyber Resilience Special Interest Group (SIG) of ORC WG.
GitHub Team: @orcwg/cyber-resilience-sig
- Dirk-Willem van Gulik (@dirkx), The Apache Software Foundation
- Simon Phipps (@webmink), Software Heritage Foundation - Inria Foundation
- Timo Perala (@timop62), Nokia
GitHub Team: @orcwg/cyber-resilience-sig-leads
The Scope of the Cyber Resilience SIG is a strict subset of the scope of ORC WG. Whereas the working group is chartered to address any kind of emerging regulation impacting open source, the Cyber Resilience SIG is solely focused on cyber resilience regulation. Expect all of the CRA-related work to happen in this SIG.
In 2025, the SIG will focus on deliverables necessary to help the open source community (and notably open source software stewards) meet the regulatory obligations outlined in the CRA and help downstream users (manufacturers) be able to continue to leverage open source in their products and services while meeting their own regulatory requirements.
In its Deliverables Plan, the SIG has identified a set of specifications that are required to further its mission. The intention is for the Cyber Resilience Practices Project to host these specifications and develop them with guidance from the SIG.
- Dirk-Willem van Gulik (@dirkx), The Apache Software Foundation
- Mikael Barbero (@mbarbero), Eclipse Foundation
- Simon Phipps (@webmink), Software Heritage Foundation - Inria Foundation
- Timo Perala (@timop62), Nokia
The Cyber Resilience SIG has formed the following task forces:
| Name | Focus Area | GitHub Team | Slack Channel | Deliverables | Minutes | End date |
|---|---|---|---|---|---|---|
| Deliverables Plan Task Force | Define a deliverables plan for the SIG for 2025 | Deliverables Plan | Minutes | 2025-03-03 | ||
| FAQ Task Force | Collect, answer, and organize questions from the community on the CRA | @orcwg/faq-tf | #tf-faq | FAQ | Minutes | 2025-06-30 |
| Inventory Task Force | Collect and organize resources relevant to the implementation of the CRA | @orcwg/inventory-tf | Inventory | Minutes | 2025-06-30 | |
| Vulnerability Handling Task Force | @orcwg/vulnerability-handling-tf | #tf-vulnerability-handling | Possible white paper on vulnerability handling | Minutes | 2025-12-31 | |
| Open Source Hardware Task Force | Provide input and comments to key stakeholders on matters pertaining to open source hardware | @orcwg/open-source-hardware-tf | Input and comments | Minutes | 2027-12-31 |
In its Deliverables Plan, the SIG has identified key stakeholders that it intends to collaborate closely with and provide input to. In order to coordinate this effort, the SIG relies on representatives from within its members to help with coordination.
| Group | GitHub Team | Lead |
|---|---|---|
| CRA Expert Group | @orcwg/cra-expert-group | Juan Rico |
| CEN/CENELEC WG 9 | @orcwg/cen-cenelec-wg-9 | Juan Rico |
| ETSI CYBER-EUSR | @orcwg/etsi-cyber-eusr | Simon Phipps |
ORC WG is chartered to address any regulation impacting open source communities and open source usage. It can establish Special Interest Groups (SIGs) for domain-specific work.
The initial focus of ORC WG is to help open source communities and the broader tech industry better understand and prepare to meet the compliance requirements of the European Cyber Resilience Act (CRA). However, cyber resilience is a topic that is broader than Europe. And ORC WG aims to facilitate compliance across jurisdictions (and not only in the EU). A SIG focused on cyber resilience in general--not just on the CRA--will help achieve this goal.
As new regulations impacting open source communities emerge, it is expected that additional SIGs modeled on this initial one will be formed.