Cyber Resilience Act - Open source

How does the CRA address free and open-source software?

The CRA recognises that, to foster the development and deployment of free and open-source software, special attention should be paid to the nature of the different development models of software distributed and developed under free and open-source software licences.  

This is why only free and open-source software that is made available on the market, and therefore supplied for distribution or use in the course of a commercial activity, falls in scope of the Cyber Resilience Act. Notably, the provision of products with digital elements qualifying as free and open-source software that are not monetised by their manufacturers should not be considered to be a commercial activity. Additionally, the CRA does not apply to developers who contribute with source code to free and open-source software that are not under their responsibility.

Furthermore, recognising the importance for cybersecurity of many products with digital elements qualifying as free and open-source software that are published, but not made available on the market within the meaning of the CRA, the novel legal category of open-source software stewards is introduced. These are legal persons who provide support on a sustained basis for the development of such products which are intended for commercial activities, and who play a main role in ensuring their viability, and are subject to a light-touch and tailor-made regulatory regime.

Further guidance will clarify how the CRA applies to free and open-source software.

What are the main obligations?  

Where a manufacturer places on the market a product with digital elements that is a free and open-source software, it is subject to the obligations of manufacturers.

Where a legal person does not place them on the market but provides systematic support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and ensures the viability of those products, it is subject to the obligations of open-source software stewards.

Open-source software stewards are subject to the obligations laid down in Article 24, notably putting in place a cybersecurity policy to foster secure development and handling of vulnerabilities; cooperating with market surveillance authorities; reporting actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements.  In accordance with Article 64(10), open-source software stewards are not subject to administrative fines for infringements of the CRA.

Relevant cooperation bodies

Representative of free and open-source software are members of the Expert group on the Cybersecurity of Products with Digital Elements (CRA Expert Group).

Reference documents and links

Frequently Asked Questions on the CRA implementation

Resources in the open-source community to support CRA implementation

Open-source communities have developed a range of freely accessible resources on the CRA. A non-exhaustive list includes:

• The Open Regulatory Compliance Working Group (ORC WG) on the CRA
• The Open Source Initiative work on harmonised standards
• The OpenSSF course on the CRA

The Commission is not responsible for the accuracy of the information provided in the links below; you are invited to get in touch if you wish to list initiatives or resources on the CRA.