What are the obligations of open-source software stewards?
Open-source software stewards are subject to a "light-touch and tailor-made regulatory regime" (Recital 19), defined in Article 24. This regime includes the following:
- Maintaining a cybersecurity policy.
- Maintaining a vulnerability management policy.
- Cooperating with Market Surveillance Authorities when needed.
- Notifiying the relevant CSIRT and ENISA, and informing users of actively exploited vulnerabilities and severe incidents in certain circumstances. More detailed information in What are the notification obligations of open-source software stewards ?
© 2025
ORC WG Authors
• CC BY 4.0
• Source
•
Disclaimer
Disclaimer: The information contained in this FAQ is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity. It is not necessarily comprehensive, complete, accurate, or up to date. It does not constitute professional or legal advice. If you need specific advice, you should consult a suitably qualified professional.