The EU Cyber Resilience Act (CRA), which will be fully applicable in three years, aims to regulate software products on the EU market by establishing cybersecurity, maintenance, and vulnerability disclosure requirements. GitHub and its partners have actively engaged with EU lawmakers to mitigate potential negative impacts on the open source ecosystem, resulting in a clearer allocation of cybersecurity responsibilities to entities with the resources to manage them. While the CRA seeks to address issues like insecure IoT devices and outdated smartphone security, open source projects often lack resources and are not typically involved in commercial activities that the CRA targets. The CRA allows for a distinction between commercial and non-commercial open source activities, placing less regulatory burden on open source developers and organizations unless they are involved in commercial distribution. GitHub has advocated for support rather than regulation of open source projects, emphasizing the importance of clear guidelines to help developers navigate the CRA's implications. Collaboration with initiatives like Germany’s Sovereign Tech Agency and the GitHub Secure Open Source Fund aims to bolster open source cybersecurity through funding and education.