I have been trying to gather information on how the R community (including the R Foundation, the R Consortium, or Posit) is preparing to meet the obligations imposed by the EU Cyber Resilience Act (CRA), which aims at establishing cybersecurity requirements (September 2026: Enforcement of vulnerability reporting obligations, December 2027: Full enforcement of the regulation) but I found almost nothing:
R Consortium on the November [2024] R repository working group meeting mentioned that the new EU cyber resilience act will affect all R package repositories. They are looking for volunteers to work on making clear the requirements for software stewards (with the Linux Foundation). Requirements should be met by October 2027.
Source:
The recently passed Cyber Resilience Act will require CRAN and all community repositories to make changes to meet its requirements for distribution of packages in the EU. We are asking now for financial support to ensure that we, in coordination with the Linux Foundation, can assist all our repository maintainers to plan and work toward compliance by October of 2027.
Source:
Related renv FR:
Is there anything else I've overlooked?