Reg (EU) 2024/2847Generate dossier — €149
LIVE — Enforcement tracker · Deadline dashboard · Transposition status — Updated weekly from EUR-Lex, Safety Gate, OEIL & 12 official sourcesView regulatory intelligence →

Open-source software under Regulation (EU) 2024/2847: when the CRA applies, who is a steward under Article 24, what duties stewards carry, and why open-source software stewards are exempt from administrative fines

The Cyber Resilience Act applies to free and open-source software (FOSS) only when it is supplied for distribution or use on the Union market in the course of a commercial activity (Article 2 + Recital 18). Hosting code on a forge or a package manager does not by itself trigger the regulation (Recital 20). For FOSS that is monetised — directly or as a component in monetised products — the manufacturer obligations of Article 13 apply in full. For legal persons that provide sustained support for FOSS intended for commercial activities, Article 3(14) introduces a tailored figure: the open-source software steward, with the light-touch regime of Article 24. Stewards are fully exempt from administrative fines under Article 64(10)(b). This page maps every FOSS scenario to its CRA rule. CRACheck handles the monetised-FOSS case.

Generate CRA dossier — €149Free: check if CRA applies to your product

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Regulation (EU) 2024/2847 · Art. 24 stewards · Art. 32(5) FOSS internal control with public docs · Recitals 17-22 · 100% browser-side

Three coordinates for FOSS under the CRA

Art. 3(48)
FOSS definition — code openly shared, all rights to access / use / modify / redistribute
Art. 24
Steward duties — cybersecurity policy, cooperation with MSAs
Art. 64(10)(b)
Stewards: no administrative fines for any infringement

Seven FOSS scenarios — in or out of the CRA

Each scenario below maps to a clear rule from Article 2, Article 3, Article 24 or the recitals. The line between out-of-scope FOSS and a regulated activity is the line of commercial activity.

1
Hobby project on a public forge — OUT of scope
Recital 17 + Recital 20: openly sharing source code on collaboration platforms or package managers is not, by itself, making available on the market. Without a commercial activity (Art. 3(22)), the CRA does not apply. The mere fact that a project receives donations or financial support does not, by itself, make the activity commercial (Recital 18).
2
Not-for-profit organisation publishing FOSS — OUT of scope (if conditions met)
Recital 18: not-for-profit organisations that develop FOSS are not engaged in commercial activity, provided the organisation is set up so that all earnings after costs are used to achieve not-for-profit objectives. The mere presence of regular releases does not by itself make the activity commercial.
3
Individual contributor to a third-party FOSS project — OUT of scope
Recital 18: the CRA does not apply to natural or legal persons who contribute source code to FOSS products with digital elements that are not under their responsibility. The contributor is not a manufacturer of the upstream project.
4
FOSS supplied as a component in a monetised product — IN scope as a component
Recital 18: supply of FOSS components intended for integration by other manufacturers into their own products is making available on the market only if the component is monetised by its original manufacturer. The integrating manufacturer’s due diligence on the FOSS component is governed by Article 13(5) + Recital 34.
5
Foundation or business sustaining a FOSS project — IN scope as a STEWARD
Article 3(14): a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific FOSS products with digital elements intended for commercial activities, and ensures the viability of those products. Subject to Article 24 (light-touch regime), not to Article 13.
6
Commercial FOSS distribution — IN scope as manufacturer
Article 2(1) + Recital 18: when a person supplies FOSS for distribution or use on the Union market in the course of a commercial activity (paid subscription, support service revenue, monetised platform, donations exceeding actual costs, processing of personal data not strictly for security/compatibility), Article 13 applies in full. This is the standard commercial-distribution case.
7
Voluntary security attestation — supporting tool
Article 25: the Commission is empowered to adopt delegated acts establishing voluntary security attestation programmes for FOSS, allowing developers, users or third parties to assess conformity with all or certain CRA essential requirements. Independent of the steward regime.

Common mistakes

STEWARD MISLABEL

“We are a foundation — we automatically count as a steward”

Not automatic. Article 3(14) requires three things: (a) a legal person OTHER than the manufacturer, (b) the purpose or objective of systematically providing sustained support for FOSS products intended for commercial activities, (c) ensuring the viability of those products. A foundation that hosts an annual conference but does not steer development on a sustained basis is unlikely to qualify.

DONATION-AS-COMMERCIAL

“Accepting any donation makes us commercial”

Recital 15 + 18: ‘accepting donations without the intention of making a profit should not be considered to be a commercial activity’. Only donations ‘exceeding the costs associated with the design, development and provision’ cross into commercial. A genuine cost-recovery donation model is not commercial activity for CRA purposes.

STEWARD = NO OBLIGATIONS

“Stewards have zero CRA obligations”

Stewards have a light-touch but real regime under Article 24: (a) a documented cybersecurity policy that fosters secure development and effective vulnerability handling by the developers of the FOSS PDE; (b) cooperation with market surveillance authorities upon request; (c) reporting of actively exploited vulnerabilities to the extent involved in development (Art. 24(3) + Art. 14(1)); (d) reporting of severe incidents to the extent they affect the steward’s network and information systems (Art. 14(3) + (8)).

Does the CRA apply to your product?

Four-question self-check. If you answer YES to all four, your product is in scope of Regulation (EU) 2024/2847.

Take the full product classification test →

Choose your licence

One-time payment. No subscription. The downloaded dossier is yours forever.

1 PRODUCT
149
/ product
  • 8-document CRA dossier (ZIP)
  • Product Classifier + Technical Documentation
  • Risk Assessment + User Information
  • 10 regenerations · 30 days
  • 1 licence = 1 product
Buy licence →
PROFESSIONAL PACK
1,199
70 generations · 1 key
For multi-product catalogues
  • 70 generations with a single key
  • 70 complete dossiers (8 documents each)
  • Switch product between generations
  • Ideal for importers with large catalogues
  • For consultants billing CRA compliance
Buy Professional Pack →

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

1

Product Classifier

Determines whether your product is Default, Important Class I, Important Class II (Annex III) or Critical (Annex IV). Documents the rationale and the applicable conformity assessment procedure under Article 32.

2

Technical Documentation

Article 31 + Annex VII dossier. Product description, design and development, vulnerability handling processes, risk assessment, list of harmonised standards applied, conformity solutions.

3

Cybersecurity Risk Assessment

Annex I, Part I analysis. Intended purpose, reasonably foreseeable use, operational environment, applicability of each essential requirement, mitigation measures.

4

User Information & Instructions

Annex II. Manufacturer details, single point of contact, intended purpose, support period end date, secure decommissioning, automatic-update opt-out instructions.

5

EU Declaration of Conformity

Article 28 + Annex V. Pre-structured with your classification, applicable conformity module, harmonised standards or certificates relied on, notified body number when applicable.

6

Coordinated Vulnerability Disclosure Policy

Annex I, Part II, point (5). Single point of contact, intake workflow, triage and remediation timeline, public disclosure rules.

7

ENISA Notification Template

Article 14 reporting. Pre-filled 24h early warning, 72h vulnerability/incident notification, 14-day final report templates.

8

Obligations Calendar

Personalised milestones: Article 14 reporting starts 11 September 2026, full application 11 December 2027, document retention 10 years, support period (Art. 13(8)) end date.

See before you buy — Download sample dossier (PDF, fictional company). Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

📜 LEGAL OPINION ON FOSS STATUS UNDER THE CRA
€4,000–€12,000
Counsel assessment of whether your FOSS activity is commercial, whether you qualify as a steward under Art. 3(14), and which Article 24 duties or Article 13 duties apply.
CRACHECK — SAME OUTPUT
€149
CRACheck classifies your FOSS scenario: out-of-scope (hobby / non-profit), in-scope component (integrated by others), steward (Art. 24 light-touch), or full manufacturer (Art. 13). Generates the corresponding documentation.

Legal sources

Every article and recital cited on this page comes from the official text of Regulation (EU) 2024/2847 (Cyber Resilience Act), published in the Official Journal of the European Union on 20 November 2024 (ELI: data.europa.eu/eli/reg/2024/2847/oj).

Related: Regulation (EU) 2019/881 (Cybersecurity Act, EUCC) · Directive (EU) 2022/2555 (NIS2) · Regulation (EU) 2019/1020 (market surveillance) · Regulation (EU) 2024/1689 (AI Act).

Important notice

This is not legal advice. CRACheck is structured self-assessment software based on Regulation (EU) 2024/2847. The dossier you download is structured documentation, not a third-party audit or certification.

Class II and Critical products still need a notified body. CRACheck prepares the dossier that the notified body will examine — it does not replace the third-party conformity assessment required by Article 32(3) and Article 32(4).

Maximum liability: the amount you paid for the licence. Always verify your specific situation with your legal counsel.

Frequently asked questions

Does hosting code on GitHub or a package manager trigger the CRA?
No. Recital 20 says: ‘The sole act of hosting products with digital elements on open repositories, including through package managers or on collaboration platforms, does not in itself constitute the making available on the market of a product with digital elements. Providers of such services should be considered to be distributors only if they make such software available on the market and hence supply it for distribution or use on the Union market in the course of a commercial activity.’
What does a steward have to do under Article 24?
Three things. Art. 24(1): put in place and document in a verifiable manner a cybersecurity policy fostering secure development by the developers of the FOSS PDE and an effective handling of vulnerabilities, including voluntary reporting under Article 15. Art. 24(2): cooperate with market surveillance authorities at their request; on reasoned request provide the documentation in a language they easily understand. Art. 24(3): apply Article 14(1) [vulnerability notification] to the extent involved in development; apply Article 14(3) and (8) [severe incident notification + user information] to the extent severe incidents affect the steward’s network and information systems.
Are open-source software stewards subject to administrative fines?
No. Article 64(10)(b) is explicit: ‘the administrative fines referred to in those paragraphs shall not apply to any infringement of this Regulation by open-source software stewards’. Stewards remain subject to corrective measures imposed by market surveillance authorities (Article 52(3) requires the steward to ensure that all appropriate corrective action is taken), and Member States cannot impose other pecuniary penalties on stewards either, subject to the principle that penalties be effective, proportionate and dissuasive.
Can a FOSS manufacturer use Module A internal control?
Yes — even for Important products listed in Annex III. Article 32(5): ‘Manufacturers of products with digital elements qualifying as free and open-source software, which fall under the categories set out in Annex III, shall be able to demonstrate conformity with the essential cybersecurity requirements set out in Annex I by using one of the procedures referred to in paragraph 1 of this Article, provided that the technical documentation referred to in Article 31 is made available to the public at the time of the placing on the market of those products.’ The trade-off: public Annex VII technical documentation in exchange for Module A self-assessment.
Is this a subscription?
No. One-time payment. 30-day editing window. 10 regenerations. The PDF dossier is yours permanently.
Can I request a refund?
Under Article 16(m) of Directive (EU) 2011/83, the act of licence activation constitutes express consent for immediate digital content generation, which removes the right of withdrawal. Refunds are issued only for reproducible technical failures.
What if the regulation changes before I file my dossier?
Regenerate at no additional cost during your licence validity. Substantive amendments to Regulation (EU) 2024/2847 are tracked weekly from EUR-Lex; if a clause you cited is amended, you can regenerate the affected sections.
€149 one-time
8-document ZIP · 15–25 minutes · Browser-side

FOSS in scope, FOSS out of scope, or steward — know which one applies.

CRACheck classifies your FOSS activity against Articles 2, 3(14), 3(48), 13, 24 and 32(5). For commercial FOSS in scope, generates the full Article 13 dossier. For stewards, generates the Article 24 cybersecurity policy.

Generate dossier — €149

Related CRA guides

SCOPE

CRA scope — which products are covered

FULL GUIDE

CRA manufacturer obligations — complete guide

SBOM

CRA SBOM — mandatory software bill of materials