I am NOT subject to the CRA, and want to make this clear to downstream users. What should I say
Reply to their requests, stating the following:
- On the basis of [Recital 18](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847#rct_18 "⚖️ Recital 18") of the Cyber Resilience Act, I do not fall within the scope of the regulation, and cannot be considered as a Manufacturer or an Open source software steward under the Cyber Resilience Act.
- On the basis of [Recital 15 of the Product Liability Directive][PLD Recital 15], I cannot be held liable for your use of my code.
- **While I don't have obligations towards you, you may have some towards me:**
- On the basis of [Article 13(6)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847#art_13 "⚖️ Article 13 - Obligations of manufacturers") the Cyber Resilience Act, if you believe you have found a security flaw in this code, you are responsible for reporting it by following the vulnerability disclosure process here: << project link >>. You are also responsible for fixing it within your product and providing the fix upstream.
© 2025
ORC WG Authors
• CC BY 4.0
• Source
•
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.