What exactly does Recital 18 say about open-source and the CRA?

Recital 18 of Regulation (EU) 2024/2847 states that free and open-source software developed or supplied outside the course of a commercial activity should not be covered by the CRA. It then defines commercial activity indicators: requesting a price for the product, providing paid support, charging for software-as-a-service incorporating the product, or monetizing personal data collected through the software. A company-backed open-source project with any of these characteristics falls within scope.

We are an "open-source software steward" as defined by the CRA. What are our obligations?

Article 3(14) of Regulation (EU) 2024/2847 defines an "open-source software steward" as a legal person that systematically provides support for free and open-source software products intended for commercial activities. Article 24 imposes specific obligations on stewards, including a cybersecurity policy, cooperation with authorities, and documentation of security practices. These obligations are lighter than full manufacturer obligations but are not zero. CRACheck's Product Classifier helps determine whether you are a steward or a manufacturer.

Our project accepts external contributions via GitHub. Does that affect our CRA obligations?

As the manufacturer (Article 3(13)), you are responsible for the product you place on the market, regardless of who contributed code. External contributions integrated into your release become part of the product you distribute. Article 13(5) requires due diligence on third-party components — contributor code is a component. Your release process, code review, and signing practices are part of your CRA documentation.

Does CRA affect our ability to distribute our OSS project freely?

CRA does not prohibit free distribution. It requires manufacturers to produce documentation and meet essential requirements. You can continue distributing your software freely while maintaining CRA documentation. The documentation obligation adds a compliance workstream but does not restrict your distribution model.

Our EU enterprise customers are asking for CRA documentation for our OSS. Is this a new trend?

Yes. Article 13(5) of Regulation (EU) 2024/2847 requires manufacturers to exercise due diligence on third-party components. EU companies integrating your OSS into their products must assess your CRA compliance as part of their own obligations. Early CRA documentation makes your OSS project the lower-friction choice for compliance-conscious EU integrators.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

You maintain an open-source project with a commercial dimension — an enterprise edition, paid support, a managed cloud version, or a company-backed distribution. Recital 18 of Regulation (EU) 2024/2847 draws the line: open-source software supplied outside commercial activity is excluded; open-source software supplied in the course of commercial activity is within CRA scope. If your OSS project has a business model, Article 13 obligations apply. CRACheck generates the documentation.

The open-source community raised concerns during the CRA legislative process, and the final text reflects them. Recital 18 of Regulation (EU) 2024/2847 explicitly excludes free and open-source software when it is not supplied in the course of a commercial activity. But the same recital defines commercial activity broadly: providing paid support, offering a commercial version, or integrating the software into a commercial product all qualify. If your OSS project has a foundation, a company, or a revenue stream, the software you distribute to EU users is within scope. CRACheck generates the 8-document dossier under Article 31 + Annex VII for €149 in 15-25 minutes. The documentation distinguishes you from uncommercial projects — and from competitors without CRA readiness.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Recital 18

The CRA recital that defines the commercial/non-commercial boundary for open-source software

Art. 13(5)

EU manufacturers integrating your OSS must conduct due diligence — they need your CRA docs

€149

One-time cost for the complete CRA dossier for your commercial OSS product

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Determine commercial activity

CRACheck helps you assess whether your OSS distribution constitutes commercial activity under Recital 18: paid support, enterprise editions, managed hosting, or company-backed development.

Define the product boundary

Which distribution is the "product with digital elements"? The community edition? The enterprise edition? Both? CRACheck structures the analysis per product.

Classify under Annex III

OSS infrastructure tools (firewalls, IDS, identity management) may classify as Important Class I. General-purpose libraries typically classify as Default.

Document dependencies and contributors

Open-source supply chain: upstream dependencies, contributor trust model, release signing, and build reproducibility. Article 13(5) requires due diligence on all components.

Generate risk assessment

OSS-specific threat analysis: supply chain attacks through compromised dependencies, malicious contributor commits, typosquatting on package registries, and unsigned release artifacts.

Produce 8 documents

Technical documentation, risk assessment, declaration of conformity, user information, CVD policy (especially important for OSS — researchers expect it), ENISA template, obligations calendar.

Share with EU integrators

Your EU enterprise customers integrating your OSS need this documentation for their own Article 13(5) due diligence. Proactive sharing accelerates their adoption.

Common mistakes

❌

LICENSE ≠ EXEMPTION

"Our software is MIT/Apache-licensed, so it is exempt from CRA"

Recital 18 of Regulation (EU) 2024/2847 bases the CRA exemption on commercial activity, not license type. MIT, Apache, GPL, and BSD are all license types that say nothing about commercial context. If your company distributes the software commercially — through paid support, enterprise features, managed hosting, or company-backed development — the license does not create an exemption.

❌

COMMERCIAL CONTEXT ANALYSIS

"Only the enterprise edition is commercial — the community edition is exempt"

Recital 18 states that the "mere circumstances" of a product's development — such as being open-source — do not exclude it from scope if supplied in the course of commercial activity. If the community edition is distributed by the same company that sells the enterprise edition, and the community edition serves as a gateway to commercial conversion, it may be within scope. The determination depends on whether the supply constitutes commercial activity, not on the edition label.

❌

MANUFACTURER IDENTITY

"Our contributors are volunteers, so we cannot comply with manufacturer obligations"

The manufacturer under Article 3(13) is the legal entity that places the product on the market. If your company publishes releases, maintains the download page, and distributes the software to EU users, your company is the manufacturer — regardless of who contributed the code. Contributor volunteer status does not affect the company's regulatory obligations.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Determines CRA scope for your OSS product. Documents the commercial activity analysis per Recital 18 and the Annex III classification.

Technical Documentation

Art. 31 + Annex VII for commercial OSS: project architecture, build system, dependency tree, release process, contributor model, and security controls.

Risk Assessment

OSS-specific analysis: supply chain attacks, dependency vulnerabilities, compromised contributor accounts, package registry attacks, and build system integrity.

User Information

Annex II adapted for OSS users: supported versions, security update channels, known vulnerabilities, contribution guidelines for security issues, and developer contact.

Declaration of Conformity

Art. 28 + Annex V for your commercial OSS product.

CVD Policy

Vulnerability disclosure policy for OSS projects: SECURITY.md, security advisory process, coordinated disclosure with downstream users, and embargo policy.

Notification Template

ENISA template per Article 14 for OSS incidents: compromised releases, supply chain attacks, zero-day discoveries in production deployments. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Timeline for commercial OSS: Art. 14 reporting from September 2026, enforcement December 2027, support period for maintained versions.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 OSS-SPECIALIZED TECHNOLOGY ATTORNEY

$10,000–$25,000

6-12 weeks. The attorney needs to understand open-core business models, contributor agreements, and package distribution. Few have this combined expertise.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history