How does the Cyber Resilience Act treat open source (FOSS)?
Direct answer
Non-commercial open-source software developed outside a commercial activity is largely outside the Cyber Resilience Act. Monetisation can change that: gating features behind payment, or donations exceeding development costs, can make it commercial. A commercial manufacturer that integrates open source remains fully liable for the final product.
Key Facts
- Non-commercial FOSS is largely out of scope (Recital 18 -- //CONFIRM recital number).
- Accepting basic donations does not, by itself, trigger commercial status.
- Commercial status can arise from gated features, dual-license paid tiers, or donations exceeding costs.
- Open-source software stewards have a lighter regime and are exempt from fines (Art. 24, 64).
- A commercial manufacturer is fully liable for integrated open-source components; liability does not pass to volunteer maintainers.
The CRA carves out open-source software that is not supplied in the course of a commercial activity, so genuinely non-commercial projects are largely outside its scope. The nuance is monetisation: merely accepting donations does not make a project commercial, but gating essential features or updates behind payment, running a paid enterprise tier alongside a free community version, or taking donations that exceed development costs can tip it into commercial territory (Art. 24). //CONFIRM thresholds against the March 2026 guidance A dedicated "open-source software steward" role applies to entities that provide sustained support for commercial-intent open source; stewards must keep a cybersecurity policy and cooperate with authorities, but are exempt from administrative fines (Art. 64). Crucially, when a commercial manufacturer integrates open-source components into a product it places on the market, that manufacturer carries full legal responsibility for the security of the final product. Liability cannot be pushed upstream to volunteer maintainers.
Regulatory References