EU Cyber Resilience Act (CRA) and what it means for Ansible?

anwesha · April 21, 2026, 11:04am

Hello everyone,

We are reaching out to share an important update regarding the evolving regulatory landscape in Europe and how it impacts the Ansible ecosystem. The European Union has introduced the Cyber Resilience Act (CRA), which introduces mandatory cybersecurity requirements for products with digital elements, including both hardware and software.

Red Hat is proud to be the biggest supporter of the Ansible Project. As part of our continued commitment to strengthen Ansible ecosystem, Red Hat wants to provide assistance to navigate the CRA requirements in its role of Open Source Software Steward. This approach is intended to avoid imposing unreasonable mandates on the community. To execute this, Red Hat will collaborate with Ansible maintainers to improve existing vulnerability management, incident response, Software Bill of Materials (SBOM) processes and implement other security best practices.

What is CRA?

The Cyber Resilience Act (CRA) Regulation (EU) 2024/2847 is a piece of European Union legislation establishing cybersecurity requirements for products with digital elements. It represents the EU’s continued efforts to ensure that hardware and software products placed on the European market meet baseline security standards throughout their lifecycle.

The CRA ushers in a new era for governing the software supply chain. For decades, open source communities have relied on voluntary teamwork and best effort security practices, operating without formal warranties or liability. The CRA marks a significant shift, imposing mandatory cybersecurity standards for digital products sold in the EU, focusing on three goals:

Reduce vulnerabilities in digital products
Ensure cybersecurity is maintained throughout a product’s life cycle
Enable users to make informed decisions when selecting and operating digital products

As modern software is so deeply interconnected, foundational Ansible upstream projects can no longer function in an isolated vacuum. The CRA acknowledges the spirit of Free open source software (FOSS). The role it plays in the global software ecosystem, therefore it explicitly defines the separate roles of commercial manufacturers and the Open Source Software Steward, establishing a framework for an entity to manage these legal complexities while safeguarding the spirit of open collaboration.

Open Source Stewardship and the Ansible Community

The Open Source Software Steward’s role is to support their open source community, enable releasing secure and open software, covering key areas such as:

establishing secure development practices,
vulnerability management and reporting, and
maintaining documentation around these areas.

Red Hat assuming this role would absorb the administrative compliance burden and shield Ansible community volunteers from regulatory liability. Red Hat intends to do this by establishing new processes, automating necessary security hygiene and improving existing processes and guidelines rather than imposing unreasonable mandates on the community.

Timeline for CRA Obligations - Stewards

11 September 2026: Vulnerability reporting begins

11 December 2027: Full compliance required

By the 11th September, 2026, Stewards must be able to report actively exploited vulnerabilities and severe incidents to the European Cyber Security Agency (ENISA) and local Computer Security Incident Response Teams (CSIRTs) they become aware of.

Furthermore, as mentioned another key focus is on the software supply chain.

What does this mean for Ansible contributors, maintainers and users?

For Contributors and Maintainers: The aim of CRA is to foster a security mindset in technology, it intends to make the “security by default” into a reality. The regulation provides an unique shared opportunity to elevate software trust. The CRA is designed not to penalize contributors and maintainers. It helps us to be proactive and not reactive when it comes to security. Red Hat, the trusted companion of Ansible Project, is there to help, support “Ansible’s Stewardship duties” and to share the burden of compliance (under CRA).
For Users: You can have even greater confidence in the Ansible ecosystem. These changes are designed to provide better transparency into the security posture of the collections and tools you rely on.

Next Steps & Feedback

Expect more updates in the coming months under the infra-and-security and CRA tag. Finally, if you have any ideas or questions on this topic then please reply to this post

Topic		Replies	Views
CfgMgmtCamp 2026: Trip report News & Announcements community , kubernetes , blog , event , cfgmgmgtcamp	0	199	February 19, 2026
Ansible community roadmap 2026 Project Discussions mindshare , community , ai , cfgmgmgtcamp , community-roadmap-26	0	165	March 13, 2026
Ansible and Unifying all the Security Projects - new "lockdown" project in github Ansible Project rhel	3	40	September 7, 2014
Request For Feedback: Security Operations Automation Ansible Project galaxy-ng	1	14	August 9, 2019
Request For Feedback: Security Operations Automation Ansible Developer galaxy-ng	0	9	August 9, 2019