Summary

Your company may be considered an open-source software steward under the CRA if it provides sustained support for the development of free and open-source software (FOSS) intended for commercial activities and plays a main role in ensuring the viability of those products.

Relevant CRA Provisions

– Recital 17, Recital 18, Recital 19, Recital 20
– Article 9, Article 24

Detailed Explanation

Under the CRA, an open-source software steward is defined as a legal person who provides sustained support for the development of free and open-source software (FOSS) intended for commercial activities and plays a main role in ensuring the viability of those products. This includes entities such as certain foundations and businesses that develop and publish FOSS in a business context, including not-for-profit entities.

Key activities that may indicate your company is an open-source software steward include:
– Hosting and managing software development collaboration platforms.
– Hosting source code or software.
– Governing or managing FOSS products.
– Steering the development of FOSS products.

It is important to note that merely hosting FOSS on open repositories does not constitute making the software available on the market. Your company would be considered a distributor only if it makes such software available on the market for distribution or use in a commercial activity.

Obligations for Stakeholders

If your company is determined to be an open-source software steward, it will have specific obligations under the CRA, including:
– Establishing and documenting a cybersecurity policy to foster secure product development and effective vulnerability handling.
– Cooperating with market surveillance authorities to mitigate cybersecurity risks.
– Providing documentation to market surveillance authorities upon request.
– Complying with certain obligations under Article 14 related to incident handling and reporting.