Hello Dan and all,

On the content of the CRA - one of my favorite topic 😉. A few things to pinpoint: -EU published earlier this month a “CRA guidelines document” -> https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16... with especially section 3 “ free and open-source software” and so part of section 7 related to due diligence for cybersecurity risk assessment. -Eclipse ORC has also published recently on voluntary security Attestations: Attestations in Progress | Open Regulatory Compliance Working Grouphttps://orcwg.org/blog/attestations-update-mar2026/ and associated template proposal: cra-attestations/proposals/gen-two-tier-approach.md at main · orcwg/cra-attestationshttps://github.com/orcwg/cra-attestations/blob/main/proposals/gen-two-tier-approach.md#light-weight-voluntary-security-attestations -Zephyr project published also recently a good information page on CRA including a section about Zephyr as an open source steward : EU Cyber Resilience Act (CRA) — Zephyr Project Documentationhttps://docs.zephyrproject.org/latest/security/standards/cyber-resilience-act.html

Regards,

Eric Finco

[Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: logo_big5] Eric FINCO | Tel: +33 (0)2 4402 7154 MDG | Technical Specialist Fellow, Technical Staff College (TSC) France Board Chairman

From: Dan Handley via TSC tsc@lists.trustedfirmware.org Sent: Thursday, March 19, 2026 11:03 AM To: tsc@lists.trustedfirmware.org Subject: [TF-TSC] TSC agenda 2026-03-09

Hi all

I only have a few small topics for today's TSC so I'm not expecting a long meeting (yes, I know I've said that before). Please let me know if you have anything else.

* PSA Certified API spec governance.

* TF.org CVE allocation

* CoreCollective CCA working group

Regards

Dan.