CRA FAQ

The CRA should have zero or minimal impact on most open source developers, so you should probably not shut down your open source projects because of the CRA. There are several reasons for this:

First, the CRA likely does not apply to you.

• If you’re just a contributor, the CRA explicitly exempts you. For more detail, see Am I subject to the CRA if I only contribute to an open source project?
• If you’re a maintainer, and you do not “monetise” your FOSS codebase, the CRA explicitly exempts you. For more detail, see Am I subject to the CRA if I maintain, but do not monetize, an open source project?
• If you’re a maintainer, and you do monetise your FOSS codebase, you may still be exempted, depending on exactly how you are monetizing the codebase and your participation in it. For more detail, see Am I subject to the CRA if I maintain and monetise an open source project?

Second, even if the CRA does ultimately apply to you, penalties for solo and small-team maintainers are unlikely to be severe. For more detail, see If I maintain an open source codebase, and am treated as a “manufacturer” or “steward”, what penalties could I face for violating the CRA?

As a result, we would strongly urge you not to shut down any open source projects (or your participation in those projects) just because of the CRA.

No. Contributions to an open source codebase are explicitely not in scope of the CRA, as stated in Recital 18:

This Regulation does not apply to natural or legal persons who contribute with source code to products with digital elements qualifying as free and open-source software that are not under their responsibility.

If you are the maintainer of an open source codebase, and you do not monetize it, then the CRA does not apply to you.

The CRA applies

only in relation to products […] supplied […] in the course of a commercial activity (Recital 15, emphasis added)

And it states that

the provision of […] free and open-source software that are not monetized by their manufacturers should not be considered to be a commercial activity (Recital 18, emphasis added)

If you are the maintainer of an open source codebase, and you do monetize it, then the CRA may apply to you, since you may be participating in a “commercial activity”.

However, there are at least two significant exceptions that may allow you to take money for your work without being subject to the CRA.

• If you monetise your software only by accepting donations that cover the “costs associated with the design, development, and provision” of the product, then the CRA says your participation is not a “commercial activity” and so it does not regulate you or your codebase. (See Recital 15 for more details.)
• If you monetise your software by charging for a security attestation programme, that may also not be a “commercial activity” for purposes of the regulation. The exact nature of that exemption is still to be determined. (See Recital 21 for more details.)

If you are a solo or small-team maintainer of an open source codebase, but do get treated as a manufacturer or steward for some reason (such as monetization), you may be subject to some penalties. However, the penalties should be limited. In particular:

• If you are regulated because you are a steward, stewards are explicitly exempted from any fines, though you may still be required to take corrective actions for any problems that are uncovered. See Article 64.

• If you are regulated because you are a manufacturer, penalties must still be constrained. Specifically, all penalties must be “proportionate” (Recital 120; Article 64). In addition, when imposed on a natural person, the penalties must take into account “the economic situation” and “size” of the entity (Recital 121; Article 64). As a result, while it is not formally required, most regulators will likely to request corrective action before imposing a fine.

Reply to their requests, stating the following:

- On the basis of [Recital 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#rct_18 "⚖️ Recital 18") of the Cyber Resilience Act, I do not fall within the scope of the regulation, and cannot be considered as a Manufacturer or an Open source software steward under the Cyber Resilience Act.
- On the basis of [Recital 15 of the Product Liability Directive][PLD Recital 15], I cannot be held liable for your use of my code.
- **While I don't have obligations towards you, you may have some towards me:**
	- On the basis of [Article 13(6)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_13 "⚖️ Article 13 - Obligations of manufacturers") the Cyber Resilience Act, if you believe you have found a security flaw in this code, you are responsible for reporting it by following the vulnerability disclosure process here: << project link >>. You are also responsible for fixing it within your product and providing the fix upstream.

No. As defined in Article 3(14), an open-source software steward must be a legal person (e.g. a company, an organization, etc.) in contrast with a natural person (i.e. a human being). The obligations of open-source software stewards described in Article 24 therefore do not apply to solo maintainers. It is worth noting however, that natural persons are subject to the same obligations as legal persons would be should they monetize their poject.

No. As defined in Article 3(14), an open-source software steward must be a legal person, which in the context of the CRA means a legal entity such as a business or nonprofit.