Summary / Executive Brief

The EU Cyber Resilience Act (CRA) introduces specific provisions for free and open-source software (FOSS), aiming to balance cybersecurity objectives with the unique characteristics of open-source development. The CRA generally exempts non-commercial FOSS from its requirements, but applies obligations to open-source software that is supplied in the course of commercial activities. It also establishes a tailored, lighter regulatory regime for entities known as “open-source software stewards.” This approach seeks to foster innovation and community collaboration while ensuring that products with digital elements integrated into commercial offerings meet essential cybersecurity standards.

Why this topic matters (CRA context, affected parties)

Open-source software is foundational to the digital economy, powering everything from infrastructure to consumer devices. The CRA’s approach to FOSS is crucial for:

  • Developers and maintainers of open-source projects, including individuals, non-profits, and foundations.
  • Businesses (especially SMEs and start-ups) that rely on or integrate open-source components into commercial products.
  • Consumers and enterprises who depend on the security and reliability of products with digital elements.
  • Regulators and market surveillance authorities tasked with enforcing cybersecurity requirements.

The CRA’s provisions directly influence how open-source software can be developed, distributed, and integrated into commercial products across the EU.

Relevant CRA Provisions

  • Recitals (17), (18), (19), (20): Define the scope of FOSS under the CRA, clarify what constitutes commercial activity, and outline the rationale for a tailored regime for open-source stewards.
  • Article 24: Sets out obligations for open-source software stewards, including cybersecurity policies and cooperation with authorities.
  • Article 25: Enables the creation of voluntary security attestation programmes for FOSS.
  • Recital (22): Addresses dependency assessments and the role of software bills of materials (SBOMs) in monitoring open-source use.

In-Depth Explanation

Scope of Application

The CRA distinguishes between open-source software supplied for commercial purposes and that which is not. Only FOSS “made available on the market” in the course of a commercial activity falls within the CRA’s scope (Recitals 17, 18). Non-commercial FOSS—such as software shared freely without monetisation or commercial intent—is generally excluded, regardless of how it is developed or financed.

Key clarifications:

  • Commercial activity is not determined by the development process or funding, but by whether the software is supplied for distribution or use as part of a monetised product or service (Recital 18).
  • Open-source software stewards (e.g., foundations or not-for-profits that support FOSS for commercial integration) are subject to a lighter regulatory regime, not the full set of manufacturer obligations (Recital 19, Article 24).
  • Mere hosting of FOSS on repositories or platforms does not constitute making it available on the market (Recital 20).

Obligations for Open-Source Software Stewards

Entities that play a key role in the ongoing viability of FOSS intended for commercial use—such as managing development platforms or steering projects—must:

  • Implement and document a cybersecurity policy tailored to their context (Article 24(1)).
  • Promote vulnerability reporting and information sharing within the open-source community.
  • Cooperate with market surveillance authorities, providing documentation and support as needed (Article 24(2)).
  • Fulfil certain manufacturer obligations if directly involved in development or if severe incidents affect their infrastructure (Article 24(3)).

However, stewards cannot affix CE marking to products they support (Recital 19).

Voluntary Security Attestation

The CRA empowers the Commission to establish voluntary security attestation schemes for FOSS, helping manufacturers and users assess conformity with cybersecurity requirements (Article 25).

Practical Implications

  • Non-commercial FOSS developers (individuals, non-profits, academics) are generally not subject to CRA obligations.
  • Commercial suppliers of FOSS (including integration into monetised products) must ensure compliance with essential cybersecurity requirements.
  • Open-source software stewards must implement a verifiable cybersecurity policy and cooperate with authorities, but face lighter obligations than full manufacturers.
  • Manufacturers integrating FOSS into their products must exercise due diligence, potentially leveraging voluntary security attestations (Article 25).
  • Documentation: Stewards must be able to provide cybersecurity policy documentation to authorities upon request.
  • Risk areas: Unclear boundaries between commercial and non-commercial supply, and between stewardship and manufacturing roles, may create compliance uncertainties.

Relation to Other Laws

The CRA’s approach to FOSS complements other EU digital regulations:

  • NIS2 Directive: Focuses on the cybersecurity of essential and important entities, which may overlap with commercial FOSS suppliers.
  • GDPR: Data protection obligations may apply independently of the CRA, especially where FOSS processes personal data.
  • Radio Equipment Directive (RED): Sets security requirements for certain connected products, potentially including those using FOSS.

Open Questions or Areas of Uncertainty

  • Definition of “commercial activity”: While the CRA provides guidance, edge cases (e.g., indirect monetisation, donations, dual-licensing) may require further clarification.
  • Role of stewards vs. manufacturers: The boundary between stewardship and manufacturing may be blurred in some projects.
  • Implementation of voluntary security attestation: Details on how these schemes will operate and be recognised remain to be developed.
  • Guidance from the Commission: Further guidance is anticipated to clarify practical application, especially for SMEs and microenterprises (Recital 6).