Am I subject to the CRA if I maintain and monetise an open source project?

If you are the maintainer of an open source codebase, and you do monetize it, then the CRA may apply to you, since you may be participating in a “commercial activity”.

However, there are at least two significant exceptions that may allow you to take money for your work without being subject to the CRA.

• If you monetise your software only by accepting donations that cover the “costs associated with the design, development, and provision” of the product, then the CRA says your participation is not a “commercial activity” and so it does not regulate you or your codebase. (See Recital 15 for more details.)
• If you monetise your software by charging for a security attestation programme, that may also not be a “commercial activity” for purposes of the regulation. The exact nature of that exemption is still to be determined. (See Recital 21 for more details.)