CRA FAQ

 Open Regulatory Compliance Working Group Orc mascott

How should manufacturers exercise due diligence with regards to open-source components that are not subject to the CRA?

Manufacturers are allowed to integrate open-source components that are not in scope of the CRA (i.e. because they are not made available on the market in the course of a commercial activity), as well as open-source components that are published by an open-source software steward.

As explained in 4.4.2 What is the appropriate level of due diligence?, the appropriate level of due diligence is dependent on the nature and level of cybersecurity risk of a given open-source component.

The Commission is empowered to establish voluntary security attestations programmes that can be used to assess the conformity of free and open-source components with the CRA. Where available, such attestation programmes would facilitate manufacturers’ due diligence obligation.

© 2025 European Union • CC-BY 4.0 • “FAQs on the Cyber Resilience Act” p.48 (PDF) •
Disclaimer

Disclaimer: This document is prepared by the Commission services and should not be considered as representative of the European Commission’s official position. The replies to the FAQs do not extend in any way the rights and obligations deriving from applicable legislation nor introduce any additional requirement. The expressed views are not authoritative and cannot prejudge any future actions the European Commission may take, including potential positions before the Court of Justice of the European Union, which is competent to authoritatively interpret Union law.