CRA FAQ

The CRA should have zero or minimal impact on most open source developers, so you should probably not shut down your open source projects because of the CRA. There are several reasons for this:

First, the CRA likely does not apply to you.

• If you're just a contributor, the CRA explicitly exempts you. For more detail, see Am I subject to the CRA if I only contribute to an open source project?
• If you're a maintainer, and you do not "monetise" your FOSS codebase, the CRA explicitly exempts you. For more detail, see Am I subject to the CRA if I maintain, but do not monetize, an open source project?
• If you're a maintainer, and you do generate revenue from your FOSS codebase, you may still be exempted, depending on exactly how you are monetizing the codebase and your participation in it. For more detail, see Am I subject to the CRA if I earn a living from the open source project I maintain?

Second, even if the CRA does ultimately apply to you, penalties for solo and small-team maintainers are unlikely to be severe. For more detail, see If I maintain an open source codebase, and am treated as a "manufacturer" or "steward", what penalties could I face for violating the CRA?

As a result, we would strongly urge you not to shut down any open source projects (or your participation in those projects) just because of the CRA.

No. If your revenue only covers your actual costs—including a reasonable salary or living expenses—then you are not considered to be monetising the project, and you would not be subject to the CRA on that basis. See What does 'actual costs' mean under the CRA? for more details on what counts as actual costs.

However, if you are making a profit (revenue exceeding your costs), this likely indicates you are monetising the project. See What does 'intention to monetise' mean under the CRA? for what constitutes monetisation under the CRA. In that case, you would be considered a manufacturer for the software you monetise, with corresponding obligations under Article 13.

Even in the monetisation scenario, your manufacturer obligations apply only to the monetised version. For example, if you offer both a paid "enterprise" version and a free "community" version, you would be a manufacturer only for the enterprise version. The community version would remain outside the CRA's scope provided you are an indivual and not an organization (see Can a solo maintainer be considered to be an open-source software steward ? for more on this distinction).

No. Contributions to open source projects are explicitely not in scope of the CRA, as stated in Recital 18:

This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elements qualifying as free and open-source software that are not under their responsibility.

If you are the maintainer of an open source codebase, and you do not monetize it, then the CRA does not apply to you.

The CRA applies

only in relation to products […] supplied […] in the course of a commercial activity (Recital 15, emphasis added)

And it states that

the provision of […] free and open-source software that are not monetized by their manufacturers should not be considered to be a commercial activity (Recital 18, emphasis added)

If you are a solo or small-team maintainer of an open source codebase, but do get treated as a manufacturer or steward for some reason (such as monetization), you may be subject to some penalties. However, the penalties should be limited. In particular:

• If you are regulated because you are a steward, stewards are explicitly exempted from any fines, though you may still be required to take corrective actions for any problems that are uncovered. See Article 64.

• If you are regulated because you are a manufacturer, penalties must still be constrained. Specifically, all penalties must be "proportionate" (Recital 120; Article 64). In addition, when imposed on a natural person, the penalties must take into account "the economic situation" and "size" of the entity (Recital 121; Article 64). As a result, while it is not formally required, most regulators will likely to request corrective action before imposing a fine.

Reply to their requests, stating the following:

- On the basis of [Recital 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847#rct_18 "⚖️ Recital 18") of the Cyber Resilience Act, I do not fall within the scope of the regulation, and cannot be considered as a Manufacturer or an Open source software steward under the Cyber Resilience Act.
- On the basis of [Recital 15 of the Product Liability Directive][PLD Recital 15], I cannot be held liable for your use of my code.
- **While I don't have obligations towards you, you may have some towards me:**
	- On the basis of [Article 13(6)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847#art_13 "⚖️ Article 13 - Obligations of manufacturers") the Cyber Resilience Act, if you believe you have found a security flaw in this code, you are responsible for reporting it by following the vulnerability disclosure process here: << project link >>. You are also responsible for fixing it within your product and providing the fix upstream.

No. As defined in Article 3(14), an open-source software steward must be a legal person (e.g. a company, a foundation, an association) in contrast with a natural person (i.e. a human being). The obligations of open-source software stewards described in Article 24 therefore do not apply to solo maintainers acting in their personal capacity.

However, should a solo maintainer set up a single-member company that is a legal entity in its own right, distinct from the natural legal persona of the solo maintainer, that entity could qualify as an open-source software steward if it meets the criteria for doing so.

It is also worth noting that natural persons who monetise their project become subject to the CRA as manufacturers. In that case, they face the same obligations as any other manufacturer under Article 13, not the lighter-touch obligations that apply to open-source software stewards under Article 24. For more on what qualifies as monetisation, see Am I subject to the CRA if I earn a living from the open source project I maintain?.

No. As defined in Article 3(14), an open-source software steward must be a legal person, which in the context of the CRA means a legal entity such as a business or nonprofit.

No — the mere popularity of your open source project does not expose you to CRA regulation.

The CRA does not use popularity, user count, or widespread adoption as criteria for determining whether a project falls within scope. What matters is whether the software is supplied in the course of a commercial activity — meaning whether it is monetised or placed on the market under circumstances that indicate commercial intent.

As Recital 18 clarifies, "the provision of products with digital elements qualifying as free and open-source software that are not monetised by their manufacturers should not be considered to be a commercial activity." This means you can have millions of users, including in enterprise or critical infrastructure environments, without triggering CRA obligations, as long as you are not monetising the project.

While popularity itself creates no legal obligations, it may:

• Increase visibility to downstream users or market surveillance authorities
• Lead to requests from companies seeking help with their own compliance efforts
• Create demand for security attestations for your project

None of these change your legal status under the CRA unless you begin monetising or otherwise supplying the software in a commercial context.

For more details on what determines whether an open source project is in scope, see What criteria determine whether an open source project is in scope of the CRA?. For information on what constitutes monetisation, see Am I subject to the CRA if I maintain, but do not monetize, an open source project? and Am I subject to the CRA if I earn a living from the open source project I maintain?.

No, common consulting arrangements do not make you a manufacturer under the CRA. If you are a consultant providing services (such as helping a client install, configure, or integrate software), you are providing a service, not placing a product on the market.

However, there is an important exception: if you provide consulting services around an open source project that you publish and monetise (for example, selling implementation or integration services for your own software), this commercial activity may mean you are placing that software on the market. In that case, you would have manufacturer obligations toward your clients for that project.

Note that these manufacturer obligations would apply only to the monetised version of your software. For a non-monetised version of the same open source project, you would have steward obligations if you are an organisation (a legal person, see What is a legal person ?) that provides sustained support for its development. If you are an individual (a natural person), the non-monetised version falls outside the scope of the CRA entirely.

No. Receiving grants does not make you a manufacturer under the CRA.

Grants provide financial support for the development of open source projects, but they are not a commercial transaction where the recipient is monetising a product that the grantor is purchasing. The CRA explicitly states that "the mere circumstances under which the product with digital elements has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity" (Recital 18).

Similarly, "the mere fact that an open-source software product with digital elements receives financial support from manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature" (Recital 18).

For more information on what does trigger manufacturer obligations, see What criteria determine whether an open source project is in scope of the CRA?.

No, receiving donations does not make you a manufacturer, as long as those donations cover your actual costs rather than generate profit.

The CRA clarifies that "accepting donations without the intention of making a profit should not be considered to be a commercial activity" (Recital 15). This includes reasonable compensation or living expenses for individual developers.

When assessing whether donations exceed your costs, consider all revenue related to the project, not just one income stream. If total project-related income significantly exceeds the costs of designing, developing, and maintaining the software, this could indicate an intention to profit, which may bring you into scope. Since donations naturally fluctuate over time, a degree of flexibility applies—including considering the developer's broader financial situation.

Note that donations clearly linked to a service or benefit of equivalent value may not qualify as true donations—such arrangements could be viewed as commercial transactions.

For more on what counts as actual costs, see What does 'actual costs' mean under the CRA?. For how living expenses factor in, see Can a natural person's living expenses count as 'costs' or is that profit?. For broader monetisation questions, see Am I subject to the CRA if I earn a living from the open source project I maintain?.

Providing technical support for a fee may or may not put you in scope of the CRA, depending on your relationship to the open source project.

If you are the publisher of the project: Charging for technical support services that are closely associated with the supply of the software can constitute monetisation, which would make the software a product placed on the market. However, this only applies where the price charged "does not serve only the recuperation of actual costs" (Recital 15). If you're a natural person and the fees only cover costs related to design, development, and maintenance—including reasonable living expenses—this alone would not make you a manufacturer. If you're a legal person that meets the definition of open-source software steward, you would be subject to steward obligations rather than manufacturer obligations for the non-monetised version of the software.

If you are a not-for-profit organisation: There is additional flexibility. If your organisation is set up to ensure that all earnings after costs are reinvested in not-for-profit objectives, your activities are not considered commercial even if you charge for support services (Recital 18).

If you are not the publisher: You are simply a service provider, and services are not products with digital elements under the CRA. For example, if you help a customer install open source software on their server but don't distribute the software yourself, you are not placing any product on the market and are therefore not in scope.

See also: Can a natural person's living expenses count as 'costs' or is that profit? and Does getting paid for open source software development make you a manufacturer?.

Yes, reasonable living expenses count as costs, not profit. A natural person who publishes open source software and charges for technical support services to cover their costs—including reasonable living expenses—is not considered to be monetising that software on that basis alone.

This means individual open source maintainers can accept payment for support services to sustain themselves financially without automatically becoming manufacturers under the CRA. The key distinction is whether the income serves to recuperate actual costs (including fair remuneration) or whether it exceeds what's needed and becomes profit.

Similarly, donations that help cover a natural person's reasonable living expenses are considered costs, not profit. Accepting donations without the intention of making a profit is not considered a commercial activity (Recital 15).

For more on what counts as costs under the CRA, see What does 'actual costs' mean under the CRA?. For information on what constitutes profit, see What does 'make a profit' mean under the CRA?.

Yes, you can get paid to develop an open source project without being considered a manufacturer under the CRA.

The CRA distinguishes between being paid for the software (monetisation) and being paid to work on the software (development funding). Receiving payment to develop or maintain an open source project does not, by itself, make you a manufacturer. As Recital 18 clarifies, "the mere circumstances under which the product with digital elements has been developed, or how the development has been financed, should therefore not be taken into account when determining the commercial or non-commercial nature of that activity."

This means that various common funding arrangements do not trigger manufacturer status:

• Employment or contracting: Being hired or contracted to work on an open source project does not make you a manufacturer—your employer or client may have obligations, but you as a paid developer do not.
• Grants and sponsorships: Receiving grants, sponsorships, or foundation funding to support development work does not constitute monetisation of the software itself.
• Donations for living expenses: A natural person receiving donations that cover reasonable living expenses and development costs is not considered to be monetising the project.

What does make someone a manufacturer is monetising the software itself—for example, by charging for access to the software, selling paid support services that exceed cost recovery, or using the software as a platform to monetise other services.

For more information on what constitutes monetisation, see Am I subject to the CRA if I earn a living from the open source project I maintain?. For details on how contributions affect CRA status, see Am I subject to the CRA if I only contribute to an open source project?.

Sponsorware is a model where sponsors receive early access to software that is later released as open source. Under the CRA, the regulatory treatment depends on which phase of the sponsorware model is being considered.

During the exclusive sponsor phase, when only paying sponsors can access the software, this arrangement might be considered as tailor-made development. As explained in When is a product "tailor-made"? What documentation is required in these cases?, the person publishing the software would be considered a manufacturer during that phase but could deviate from a small subset of the essential cybersecurity requirements provided they met the conditions outlined in Recital 64; the person publishing the software would be subject to the full obligations of a manufacturer otherwise.

Once the software is released as open source, it is treated like any other open source software under the CRA. At that point, the standard criteria for determining whether open source software is in scope apply; primarily whether the person publishing it is monetising it through that release. See Am I subject to the CRA if I earn a living from the open source project I maintain? for details on how monetisation affects CRA obligations.