Open Source Software & the CRA
Navigate the complex relationship between open source development and EU cybersecurity requirements. Understand exemptions, steward obligations, and when commercial activity rules apply.
Critical: Commercial Activity Threshold
The line between exempt open source development and regulated commercial activity can be unclear. Regular financial contributions or systematic commercial support may trigger CRA obligations.
If you qualify as an "open source software steward," you have specific CRA obligations starting December 11, 2027, including cybersecurity policies and vulnerability reporting.
The CRA & Open Source in Plain English
The CRA creates the first formal recognition of open source software in EU regulation. Here's what it means: **The Good News**: Pure open source development without commercial intent remains largely exempt from CRA requirements. If you're contributing to open source projects as a volunteer or maintainer without systematic commercial support, you're typically not covered. **The Complexity**: The CRA introduces "open source software stewards" - organizations that provide sustained support for open source projects intended for commercial use. These stewards face light-touch obligations but still have real compliance requirements. **The Key Question**: When does open source development become "commercial activity"? The CRA tries to draw clear lines, but edge cases exist around donations, sponsorships, and corporate contributions.
Sponsored Content
Start Here: Find Your Open Source CRA Path
Choose your situation to get targeted guidance
Individual Developer
You contribute to open source projects as an individual
Open Source Foundation
You manage or work for an organization supporting open source projects
Company Using Open Source
Your business integrates open source components into commercial products
Corporate Open Source
Your company develops and releases open source software
Your 4-Step Path to CRA Open Source Compliance
Follow these steps to achieve full compliance. Each step builds on the previous one, creating a comprehensive compliance program.
1. Determine Your CRA Status
Identify if your open source activities constitute commercial activity and steward obligations
Key Actions
- Map all open source projects you contribute to or support
- Evaluate the commercial intent and usage of these projects
- Assess your role in ensuring project viability
- Determine if you provide systematic commercial support
Available Tools
Real Examples
2. Develop Cybersecurity Policy (Stewards)
Create and document cybersecurity policies for supported open source projects
Key Actions
- Document vulnerability discovery and disclosure processes
- Establish secure development practices for supported projects
- Create incident response procedures for actively exploited vulnerabilities
- Implement community collaboration frameworks for security issues
Available Tools
Real Examples
3. Implement Vulnerability Reporting
Set up systems to report actively exploited vulnerabilities to authorities
Key Actions
- Establish relationships with national cybersecurity authorities
- Implement 24-hour notification procedures
- Create vulnerability monitoring and detection systems
- Test reporting workflows and communication channels
Available Tools
Real Examples
4. Coordinate with Open Source Community
Align CRA compliance with existing community security practices
Key Actions
- Promote vulnerability sharing within the open source community
- Coordinate with other stewards and foundations on shared standards
- Contribute to CRA implementation guidelines for open source
- Educate project contributors about CRA implications
Available Tools
Real Examples
What CRA Open Source Actually Requires You to Do
Individual Contributors (Exempt)
Personal open source contributions remain unregulated
- • Volunteer contributions to community projects
- • Personal repositories and side projects
- • Non-systematic development without commercial backing
Open Source Stewards (Light-Touch)
Organizations supporting commercial open source projects
- • Document cybersecurity policy for supported projects
- • Report actively exploited vulnerabilities within 24 hours
- • Promote vulnerability sharing with community
Commercial Users (Full Compliance)
Companies integrating open source into CRA-regulated products
- • Conduct due diligence on open source components
- • Maintain software bill of materials (SBOM)
- • Monitor dependencies for security vulnerabilities
Sponsored Content
Free CRA Open Source Compliance Tools
Steward Assessment Tool
Determine if your organization qualifies as an open source software steward under CRA Article 24
Cybersecurity Policy Template
Article 24 compliant cybersecurity policy template for open source software stewards
Vulnerability Reporting Guide
Step-by-step guide for steward vulnerability notification requirements to authorities
Sponsored Content
Common CRA Open Source Questions
Does the CRA kill open source software?
No. The CRA includes specific exemptions for non-commercial open source development. Pure volunteer contributions and community projects remain largely unaffected. However, organizations providing systematic commercial support for open source projects may face light-touch compliance obligations.
When does accepting donations trigger CRA obligations?
Simple donations without profit intent don't trigger CRA obligations. However, regular financial assistance from manufacturers who integrate your software into commercial products may qualify you as an open source software steward with compliance requirements.
What is an "open source software steward" under the CRA?
A steward is any legal entity (other than a manufacturer) that systematically provides sustained support for open source projects intended for commercial activities. This includes foundations, platforms, and organizations ensuring project viability.
Do GitHub, GitLab, and other platforms become stewards?
Platforms that merely host code typically don't qualify as stewards. Stewardship requires systematic support for development and ensuring project viability, not just providing infrastructure. However, platforms offering commercial services around specific projects might qualify.
How do I know if my open source project is "intended for commercial activities"?
Projects intended for commercial activities are those designed for integration into commercial services or monetized products. Key factors include: target audience, documentation focus, commercial partnerships, and explicit business use cases.
What cybersecurity policy must stewards maintain?
Stewards must document policies covering vulnerability discovery, disclosure, and remediation processes. The policy should promote community vulnerability sharing and include incident response procedures for actively exploited vulnerabilities.
Do stewards need conformity assessments like manufacturers?
No. Stewards face a "light-touch" regime with only three main obligations: cybersecurity policy, vulnerability reporting, and community information sharing. They don't need full conformity assessments, CE marking, or technical documentation.
Can companies still use open source software in CRA-regulated products?
Yes, but companies must include open source components in their due diligence, security assessments, and software bills of materials. The company using open source in commercial products bears responsibility for CRA compliance.
What happens to Linux distributions and package managers?
Most Linux distributions and package managers qualify as stewards due to their systematic support role. They'll need cybersecurity policies and vulnerability reporting procedures but avoid the full manufacturer obligations that would be impractical for their model.
How should open source projects prepare for CRA compliance?
Projects should: clarify their commercial intent, establish clear governance structures, document security practices, create vulnerability disclosure processes, and consider whether foundation or steward status is appropriate for their situation.
Need Help with CRA Open Source Compliance?
Our experts can help you determine your steward status and develop compliant policies.
Individual Developers & Contributors
Good News: Most Individual Contributions Are Exempt
If you're contributing to open source as an individual without systematic commercial support, you're typically not covered by the CRA.
✅ Clearly Exempt Activities
- Personal GitHub repositories and side projects
- Volunteer contributions to community projects
- Bug fixes and feature contributions without payment
- Maintaining projects without commercial backing
- Academic or research-focused open source work
⚠️ Gray Area Activities
- Accepting regular sponsorships from companies
- Contributing to projects with explicit commercial focus
- Maintaining projects primarily used in commercial products
- Receiving systematic financial support from manufacturers
Key Principle: Commercial Activity Threshold
The CRA distinguishes between pure community development and development with commercial intent. The critical factor is whether your work is "intended for commercial activities."
Projects that are "openly shared and freely accessible, usable, modifiable and redistributable" without monetization remain exempt.
Open Source Foundations & Stewards
Article 24: Light-Touch Regulatory Regime
Organizations qualifying as "open source software stewards" face tailored obligations designed for the open source ecosystem.
Steward Definition & Qualification
What Makes You a Steward?
Systematic Support
You provide ongoing, organized support for specific open source projects
Commercial Intent
The projects you support are intended for commercial activities or integration
Viability Responsibility
You play a main role in ensuring the continued viability of these projects
Steward Obligations Under Article 24
1. Cybersecurity Policy
- • Document vulnerability management processes
- • Establish secure development practices
- • Create incident response procedures
- • Promote community vulnerability sharing
- • Foster voluntary vulnerability reporting
2. Vulnerability Reporting
- • Report actively exploited vulnerabilities to authorities
- • 24-hour notification timeline for severe incidents
- • Apply only to vulnerabilities you become aware of
- • Focus on projects you actively support
3. Community Coordination
- • Share vulnerability information with open source community
- • Coordinate with other stewards on security standards
- • Promote responsible disclosure practices
- • Support community security initiatives
Example Steward Organizations
Likely Stewards:
- • Apache Software Foundation
- • Linux Foundation
- • Eclipse Foundation
- • Mozilla Foundation
- • Cloud Native Computing Foundation
Typically Not Stewards:
- • GitHub, GitLab (hosting platforms)
- • Package registries (npm, PyPI)
- • Individual project maintainers
- • Academic research groups
- • Community-driven projects without formal organization
Commercial Use of Open Source
When Open Source Becomes Regulated
The moment you integrate open source software into a commercial product that falls under CRA scope, you become responsible for ensuring that software meets CRA requirements.
Critical Manufacturer Responsibility
You cannot transfer CRA liability to open source projects. If you're the manufacturer of a CRA-regulated product, you're responsible for the security of all components, including open source ones.
Due Diligence Requirements
Component Assessment
Risk Management
Corporate Open Source Contributions
The Commercial Activity Line
When companies contribute to or sponsor open source projects, they may cross the threshold from exempt community development to regulated commercial activity.
✅ Likely Still Exempt
- • Occasional bug fixes and contributions
- • One-time donations to projects
- • Employee volunteer contributions
- • Participating in community governance
❌ Likely Commercial Activity
- • Regular financial support for project viability
- • Systematic development contributions
- • Directing project roadmap for business needs
- • Creating projects specifically for commercial integration
Best Practices for Corporate Contributors
🎯 Clear Intent Documentation
Clearly document the intent and scope of your open source contributions. Distinguish between community benefit and commercial objectives.
🔄 Governance Separation
Consider governance structures that separate commercial interests from community development.
📊 Impact Assessment
Regularly assess whether your involvement makes you a steward under CRA definitions.
Real-World Scenarios
🏢 Scenario 1: Corporate-Sponsored Foundation
Situation: A major tech company provides 80% of funding for an open source web framework foundation used in thousands of commercial applications.
CRA Status: Likely qualifies as steward due to systematic commercial support and ensuring project viability for commercial use.
👨💻 Scenario 2: Individual Maintainer with Sponsorships
Situation: An individual maintains a popular JavaScript library, receives GitHub sponsorships totaling $50,000/year, but has no formal commercial agreements.
CRA Status: Likely exempt as sponsorships are donations without systematic commercial support or stewardship obligations.
🏭 Scenario 3: IoT Device with Open Source Components
Situation: A manufacturer creates IoT devices using Linux, OpenSSL, and various community libraries.
CRA Status: Manufacturer has full CRA compliance obligations including due diligence on all open source components. The open source projects themselves remain exempt.
🌐 Scenario 4: Platform Hosting Open Source
Situation: A platform like GitHub hosts millions of open source repositories and provides CI/CD services.
CRA Status: Typically not a steward as hosting infrastructure doesn't constitute systematic development support or ensuring project viability.
Key Exemptions & Safe Harbors
📜 Legal Exemptions
- ✓ Non-Commercial Development: Software developed outside commercial activity
- ✓ Donation Acceptance: Donations without profit intent don't trigger obligations
- ✓ Open Sharing: Freely accessible, modifiable, and redistributable software
- ✓ Non-Monetized Projects: Software not monetized by manufacturers
🛡️ Protection Strategies
- → Clear Governance: Separate community and commercial interests
- → Foundation Transfer: Move stewardship to independent foundations
- → Intent Documentation: Clearly state non-commercial development purposes
- → Community Focus: Emphasize community benefit over commercial objectives