The EU Cybersecurity Resilience Act (CRA) - Boring, Scary or Exciting?
CVE/FIRST VulnCon 2025 · Main Stage
Mike Bessel, a prominent figure in the open-source community as the co-chair of the OpenSSF Global Cyber Policy Working Group and Executive Director of the Confidential Computing Consortium, delivered a critical talk at VulnCon dissecting the European Union's Cybersecurity Resilience Act (CRA). The presentation, titled "The EU Cybersecurity Resilience Act (CRA) - Boring, Scary or Exciting?", provided an insightful, albeit often humorous, analysis of this groundbreaking legislation, aiming to clarify its scope, impact, and the practical steps organizations must take to comply.
AI review
Competent policy walkthrough of the EU CRA from someone with genuine standing in the open-source policy space. Bessel knows the regulation and explains the manufacturer/steward/maintainer trichotomy clearly, which is genuinely useful for a VulnCon audience that skews technical and may not have engaged with the regulatory text. The open-source angle — particularly the steward concept and the indirect funding incentive — is the talk's strongest original contribution. But this is ultimately a well-organized explainer, not analysis that surfaces second-order effects or insider signal unavailable…