Does Art. 24 apply to individual open-source contributors?

No. Art. 3(14) of Regulation (EU) 2024/2847 defines the open-source software steward as a legal person. Recital 18 explicitly states that the CRA does not apply to natural or legal persons who contribute source code to FOSS products that are not under their responsibility. Individual contributors who do not market the product under their name are outside scope.

Our foundation receives donations from commercial integrators. Does that make us a manufacturer?

Not by itself. Recital 18 of Regulation (EU) 2024/2847 clarifies that financial support from manufacturers or contributions to development do not in themselves determine that the activity is commercial. The test is whether the foundation markets the product under its name in a commercial activity — not whether it receives funding.

Can an open-source software steward affix CE marking?

No. Recital 19 of Regulation (EU) 2024/2847 explicitly states that the light-touch regime does not permit stewards to affix CE marking to the products whose development they support. Only manufacturers under Art. 13(11) affix CE marking after completing the conformity assessment.

What happens if we are classified as manufacturer rather than steward?

If your organisation markets the FOSS product in a commercial activity under Art. 3(13), all Art. 13 manufacturer obligations apply: cybersecurity risk assessment, technical documentation under Art. 31, vulnerability handling, ENISA reporting, conformity assessment, CE marking. The Art. 64(10)(b) fine exemption for stewards would not apply. CRACheck generates the Art. 31 documentation in either case.

Is this a subscription?

No. One-time payment. The licence includes 30 days of editing and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Under Art. 16(m) of Directive (EU) 2011/83, activating the licence constitutes express consent for immediate generation of digital content, waiving the 14-day withdrawal right. Refunds are only processed for reproducible technical failures.

What if the regulation changes?

If Regulation (EU) 2024/2847 is amended during your licence window, you can regenerate the documentation using the updated version of the generator at no additional cost.

Your foundation or organisation systematically supports the development of free and open-source software that commercial manufacturers integrate into their products. Article 24 of Regulation (EU) 2024/2847 creates a tailored regulatory regime for you — lighter than the manufacturer's, but not absent. You need a documented cybersecurity policy, you must cooperate with authorities, and Art. 14 reporting applies to you in specific circumstances.

The Cyber Resilience Act distinguishes between manufacturers who place products on the market in a commercial activity and open-source software stewards who support development without being manufacturers themselves. Art. 3(14) defines an open-source software steward as a legal person, other than a manufacturer, that systematically supports the development of specific products qualifying as free and open-source software intended for commercial activities and ensures their viability. Recital 19 clarifies the scope: foundations, entities that develop and publish FOSS in a business context, and not-for-profit entities steering development of commercially intended software. The regime under Art. 24 is intentionally light: a documented cybersecurity policy (Art. 24(1)), cooperation with market surveillance authorities (Art. 24(2)), and partial Art. 14 reporting obligations (Art. 24(3)). Critically, Art. 64(10)(b) exempts open-source software stewards from administrative fines for any CRA infringement. CRACheck generates documentation structured under Art. 31 and Annex VII for manufacturers integrating your components. €149 per product. 15-25 minutes.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key figures

Art. 24

Three obligations: cybersecurity policy, authority cooperation, partial Art. 14 reporting

Art. 64(10)(b)

Administrative fines do not apply to open-source software stewards

Art. 3(14)

Definition: legal person, not manufacturer, systematic support, commercial intent

How to proceed

Determine whether you are a steward under Art. 3(14)

You qualify if you are a legal person (not an individual contributor), you are not the manufacturer, you systematically support development of specific FOSS products intended for commercial activities, and you ensure their viability. Recital 19 includes foundations, corporate entities publishing FOSS in a business context, and not-for-profits steering development.

Verify you are not a manufacturer

Art. 3(13) defines the manufacturer as whoever markets the product under their name or trademark, whether for payment or free of charge. Recital 18 clarifies: FOSS not monetised by its manufacturer is not a commercial activity. But if your foundation monetises the product directly — beyond donations or sponsorships — you may cross into manufacturer territory.

Document a cybersecurity policy

Art. 24(1) requires a verifiable cybersecurity policy covering: secure development fostering, effective vulnerability handling by developers, voluntary vulnerability reporting per Art. 15, and vulnerability documentation, remediation and information sharing within the community.

Establish authority cooperation channels

Art. 24(2) requires cooperation with market surveillance authorities at their request, including providing the cybersecurity policy documentation in a language the authority can understand.

Assess your Art. 14 exposure

Art. 24(3) imposes partial Art. 14 obligations: Art. 14(1) applies to stewards involved in the development of the products. Art. 14(3) and (8) apply when severe incidents affect the steward's own network and information systems used for development.

Communicate downstream to integrators

Manufacturers integrating your components bear full Art. 13 obligations. Your cybersecurity policy and vulnerability disclosure practices directly affect their Art. 13(5) due diligence. CRACheck helps those manufacturers produce the Art. 31 documentation that accounts for integrated FOSS components.

Common mistakes

❌

SCOPE MISJUDGEMENT

Assuming all open-source activity is exempt from the CRA

The CRA exempts individual contributors (Recital 18) and non-commercial FOSS. But Art. 3(14) creates the steward category specifically for legal persons that support commercially intended FOSS. If your foundation stewards a project that manufacturers routinely integrate into commercial products, Art. 24 applies to you — even though fines do not.

❌

MANUFACTURER MISCLASSIFICATION

Operating as a steward when you are actually the manufacturer

If your organisation develops the product and markets it under its own name — even free of charge — Recital 18 of Regulation (EU) 2024/2847 may classify you as manufacturer under Art. 3(13) if the activity is commercial. Monetisation through enterprise licensing, paid support, or SaaS deployment of the same codebase can trigger manufacturer status with full Art. 13 obligations.

❌

REPORTING BLIND SPOT

Ignoring partial Art. 14 reporting because you are not a manufacturer

Art. 24(3) applies Art. 14(1) — vulnerability notification to ENISA — to stewards involved in the development. If you maintain the repository, merge security patches, and manage releases, you are involved. The 24h early warning and subsequent notifications apply from 11 September 2026.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Identifies the CRA category for the product your FOSS component is integrated into. Stewards do not classify their own components, but downstream manufacturers need this to determine their conformity assessment route.

Technical Documentation

Art. 31 and Annex VII documentation for the end product. Stewards do not produce this, but CRACheck helps the manufacturers who integrate your component to document how that component fits into their overall product documentation.

Risk Assessment

Cybersecurity risk assessment per Art. 13(2)-(3). Downstream manufacturers must include FOSS components in their risk assessment. CRACheck structures that inclusion.

User Information

Annex II user information. The manufacturer of the end product provides this — not the steward.

Declaration of Conformity

EU Declaration per Art. 28 and Annex V. Only manufacturers issue this. Stewards cannot affix CE marking (Recital 19).

CVD Policy

Coordinated vulnerability disclosure policy. Stewards need their own cybersecurity policy under Art. 24(1). CRACheck structures the CVD component that downstream manufacturers reference.

Notification Template

ENISA notification template per Art. 14. Relevant to stewards under Art. 24(3) for actively exploited vulnerabilities in the component they steward.

Obligations Calendar

Key dates: Art. 14 partial reporting from September 2026, full CRA enforcement December 2027, Art. 25 voluntary security attestation programmes.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 OPEN-SOURCE COMPLIANCE CONSULTANCY

Legal mapping of Art. 24 obligations

€5,000-15,000 per engagement

One-time legal opinion

Does not produce reusable documentation

Scope limited to the foundation — does not help downstream integrators

Re-engagement if CRA guidance changes

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history