Article 25 establishes a voluntary security attestation programme for free and open-source software (FOSS). ENISA runs the programme, which enables open-source components to undergo a structured security assessment and receive an attestation certificate. Manufacturers integrating attested FOSS components into their products can reference the attestation as evidence of component due diligence under Article 13. The programme bridges the gap between the CRA's manufacturer obligations and the open-source ecosystem's development model.
What Is Security Attestation Under Article 25?
Security attestation is a voluntary, structured assessment of a free and open-source software component's security properties, carried out under a programme administered by ENISA. A successful attestation results in a certificate confirming that the assessed component meets specified security criteria.
Attestation is distinct from the mandatory conformity assessment under Articles 7 and 8. It does not create CE marking obligations or an EU Declaration of Conformity for the open-source component. Instead, it provides a third-party-validated security credential that manufacturers can reference when documenting their component due diligence under Article 13(6)-(8).
The attestation is particularly valuable for widely-used open-source libraries and components that are integrated into dozens or hundreds of commercial products — enabling manufacturers to rely on a single assessment rather than each independently evaluating the component.
How the Attestation Programme Works
ENISA establishes the technical criteria and procedural framework for the attestation programme. The expected process is:
- Application: The open-source steward (or a manufacturer on behalf of a component they extensively use) applies to ENISA or an accredited assessment body
- Technical assessment: The component undergoes security assessment covering source code analysis, dependency review, vulnerability history, and development security practices
- Attestation decision: The assessor issues an attestation certificate if the criteria are met, specifying the component version(s) assessed, the scope of the assessment, and the validity period
- Public listing: Attested components are listed in a public ENISA registry, enabling manufacturers to identify and reference attested components
- Renewal: Attestations are time-limited; stewards must re-apply for renewed attestation when software versions change materially
ENISA publishes the technical criteria for attestation, which manufacturers can use to assess whether unattested components meet equivalent standards.
Value for Manufacturers Under Article 13
For manufacturers integrating FOSS components into their products, Article 25 attestation provides practical value for Article 13(6)-(8) component due diligence:
- Reduced assessment burden: A manufacturer can rely on ENISA's attestation rather than conducting an independent security review of the component
- Documented due diligence: The attestation certificate is a concrete, auditable record of component security assessment
- Conformity assessment support: For Annex III products, a notified body assessing the product can take comfort from attested components, potentially reducing assessment scope
Manufacturers should note that using an attested component does not transfer compliance responsibility. The manufacturer remains responsible for ensuring the component is correctly integrated and remains free from newly discovered vulnerabilities after attestation. Attestation is evidence of due diligence at a point in time, not a guarantee of ongoing security.
Interaction with Existing Security Certifications
Article 25 attestation is designed to complement — not duplicate — existing security certifications for open-source software. Where a component already holds a relevant certification (e.g., Common Criteria EAL for a cryptographic library), ENISA may accept this as equivalent to or supporting evidence for attestation, avoiding unnecessary duplication.
The programme also interfaces with the broader EU cybersecurity certification framework under the EU Cybersecurity Act. For components used in Annex IV (critical) products, the attestation level may need to meet the 'substantial' assurance threshold.
CVD Portal helps you comply with Article 25 automatically.
Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free for Article 14 compliance — for all manufacturers placing products with digital elements on the EU market.
Start your free portalFrequently asked
Is Article 25 attestation mandatory for any open-source component?+
No. Article 25 attestation is entirely voluntary. Open-source components do not need to be attested to be used in CRA-regulated products. However, manufacturers integrating unattested components must conduct their own due diligence under Article 13(6)-(8) and document it in the technical file. Attestation is one of several ways to satisfy the due diligence requirement.
Can a manufacturer request attestation for a component they use extensively?+
Yes. Article 25 allows manufacturers (not only open-source stewards) to request attestation for components they heavily rely on. This is particularly valuable where the open-source steward is a small community project without the resources to pursue attestation independently. The manufacturer bears the costs in such cases.
How long does an attestation remain valid?+
ENISA specifies validity periods in the programme criteria. Attestations are expected to be valid for a specified software version or version range, with re-assessment required after material code changes. Manufacturers tracking attested components should monitor ENISA's registry for attestation renewal status.
Need a CVD policy that satisfies Article 25?
Download a free CRA-compliant template and deploy it in minutes.