Complete collection of all FAQ topics organized thematically. This includes questions and answers covering all aspects of the Cyber Resilience Act as it relates to open source.
Note: This list includes all FAQs regardless of completion status. Some entries may be drafts, have missing content, or require additional guidance.
🛡️ The Cyber Resilience Act (CRA) itself
- What is the Cyber Resilience Act (CRA)? Approved
- Where is the official text of the CRA? Approved
- When does the CRA enter into force and when does the regulation start to apply? Approved
- What kinds of products are regulated by the CRA? Approved
- What kinds of products are NOT regulated by the CRA? Approved
- What is the ‘CE mark’ and do I need to add it to my software? Approved
- What is the CRA Expert Group? Draft
🧑💻 Contributors
🧑🔧 Maintainers
- I am worried about how the CRA might impact me, and so I am considering shutting down my open source projects. Should I do that? Draft
- Am I subject to the CRA if I only contribute to an open source project? Draft
- Am I subject to the CRA if I maintain, but do not monetize, an open source project? Draft
- Am I subject to the CRA if I maintain and monetise an open source project? Draft
- If I maintain an open source codebase, and am treated as a “manufacturer” or “steward”, what penalties could I face for violating the CRA? Draft
- I am NOT subject to the CRA, and want to make this clear to downstream users. What should I say Draft
- Can a solo maintainer be considered to be an open-source software steward? Draft
- Can a loosely organized group of maintainers be considered to be an open-source software steward? Draft
🧰 Open source projects
- What criteria determine whether an open source project is in scope of the CRA? Draft
- What does “Monetizing without making a profit” mean? Draft
- Is distributing binaries or container images of an open source project considered as making it available on the market? Draft
🌱 Open-Source Software Stewards
- Do all open source projects have an open-source software steward? Draft
- What is an open-source software steward? Draft
- Who can be an open-source software steward? Draft
- What are the obligations of open-source software stewards? Draft
- How do open-source software stewards demonstrate that they meet their obligations? Draft Missing Answer
- What happens when an open-source software steward doesn’t meet its obligations? Draft Missing Answer
- Does a steward bear the cost of translating and maintaining its policy documents in many of the EU languages? Draft Missing Answer
🏭 Manufacturers
- What is a manufacturer? Draft
- Can a manufacturer also be an open-source software steward? Draft
- As a manufacturer, if I make a mistake or a security flaw is found in my project, will I get in trouble? Approved
🔌 Standards
📡 Important and Critical Product Categories
- Does a product which includes an open source component belonging to the category of important products (Annex III) inherit that category? Draft
- What is the CRA Expert Group? Draft
🔍 Due diligence
- What is due diligence? Draft Missing Answer
- How are security attestations and due diligence related? Draft Missing Answer
📋 Security attestations
- What is a security attestation in the CRA? Draft
- How are security attestations and due diligence related? Draft Missing Answer