Am I subject to the CRA if I maintain and monetise an open source project?
If you are the maintainer of an open source codebase, and you do monetize it, then the CRA may apply to you, since you may be participating in a "commercial activity".
However, there are at least two significant exceptions that may allow you to take money for your work without being subject to the CRA.
- If you monetise your software only by accepting donations that cover the "costs associated with the design, development, and provision" of the product, then the CRA says your participation is not a "commercial activity" and so it does not regulate you or your codebase. (See Recital 15 for more details.)
- If you monetise your software by charging for a security attestation programme, that may also not be a "commercial activity" for purposes of the regulation. The exact nature of that exemption is still to be determined. (See Recital 21 for more details.)
© 2025
ORC WG Authors
• CC BY 4.0
• Source
•
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.