CRA FAQ - Open-Source Software Stewards

Do all open source projects have an open-source software steward?

No. Most open source projects will not have a steward.

A steward must be a "legal person" (Article 3(14)), such as a company, and most open source projects are not supported by a company.

The stewarding organization must also have "the purpose or objective of systematically providing support on a sustained basis" (Article 3(14)) and their software must be "ultimately intended for commercial activities" (Recital 19). Organizations who do not meet those tests will also not be considered stewards.

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

What is an open-source software steward?

Open-source software steward is a term defined in Article 3(14) of the CRA, to subject specific organisations to a subset of CRA obligations because they exist to support free and open source software that is intended for commercial activities:

‘open-source software steward’ means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

Who can be an open-source software steward?

Recital 19 states "Open-source software stewards include certain foundations as well as entities that develop and publish free and open-source software in a business context, including not-for-profit entities." At FOSDEM 2024, the European Commission provided three examples of entities the co-legislators had in mind:

Foundations supporting specific FOSS projects
Companies that build FOSS for their own use but make it public
Not-for-profit entities that develop FOSS

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

What are the obligations of open-source software stewards?

Open-source software stewards are subject to a "light-touch and tailor-made regulatory regime" (Recital 19), defined in Article 24. This regime includes the following:

Maintaining a cybersecurity policy.
Maintaining a vulnerability management policy.
Cooperating with Market Surveillance Authorities when needed.
Notifiying the relevant CSIRT and ENISA, and informing users of actively exploited vulnerabilities and severe incidents in certain circumstances. More detailed information in What are the notification obligations of open-source software stewards ?

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

What are the notification obligations of open-source software stewards?

Per Article 24(3), open-source software stewards are subject to a subset of the notification obligations of manufacturers defined in Article 14.

If a steward is involved in the development of an open source project that it stewards, it must notify both its relevant CSIRT and ENISA of any actively exploited vulnerability in that project, see Article 14(1).
If a steward provides IT infrastructure used for the development of an open source project that it stewards, it must notify its relevant CSIRT and ENISA of any severe incident having an impact on the security of that project, see Article 14(3).
In both of those cases, it must inform impacted users (and where appropriate all users) of that open source project through available channels (e.g. changelog, blog post, mailing list, direct contact when available, etc.), see Article 14(8).

The table below provides an actionable summary of those notification and information obligations that accounts for stewards not necessarily being aware of who their users are nor being able to reach out to them individually.

Steward support level	Notify vulnerabilities^[1]	Notify incidents^[2]	General announcement^[3]	Message known users^[3:1]
Provides non-technical support only	N/A	N/A	N/A	N/A
+ provides IT infrastructure	N/A	✅	✅	N/A
+ provides engineering resources (incl. security)	✅	✅	✅	N/A
+ has 1:1 relationship with some users	✅	✅	✅	✅

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

How do open-source software stewards demonstrate that they meet their obligations?

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

What happens when an open-source software steward doesn't meet its obligations?

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

Does a steward bear the cost of translating and maintaining its policy documents in many of the EU languages?

Disclaimer

Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.

Edit on GitHub Go to page

🌱 Open-Source Software Stewards