Demystifying CRA for the community

September 2026, a month after Euro Python, the first wave of legal obligations for the EU Cyber Resilience Act (CRA) will wash over the software world. For us in the open-source community, CRA has been a source of major confusion, dilemma, and anxiety

• 'Will my hobby project make me liable?'
• 'Is my Python package "commercial activity"?'
• 'Will PSF be liable for your code?'
• 'Do I really need an SBOM for a Python library?' In this talk I, a lawyer, engineer, and FOSS alumni, will cut through the legal jargon to explain what the CRA actually is, why it exists, and how it changes the "manufacturer" relationship with open-source code. We will walk through the new legal roles—from Manufacturers to the newly defined "Stewards"—and provide a clear "To-Do and Not-To-Do" list for community maintainers. Whether you are a solo contributor or part of a major foundation, this session will help you navigate the 2026–2027 transition period with confidence.