Free and open-source software (FOSS)
Software whose source code is made available with a licence granting users the rights to use, copy, modify, and distribute the software. FOSS components integrated into a commercial product are in scope of the CRA for the manufacturer integrating them. Non-commercial FOSS development and supply is generally out of scope; OSS stewards have a tailored regime.
Source citations
Regulation text
Article 3(48) of Regulation (EU) 2024/2847 defines free and open-source software as:
"software the source code of which is openly shared and which is made available under a free and open source licence permitting all users to run, copy, distribute, study, change and improve the software".
CRA scope for FOSS
The CRA's treatment of FOSS depends on the role of the person or organisation:
| Role | CRA treatment |
|---|---|
| Non-commercial FOSS developer supplying software free of any commercial activity | Out of scope (Art. 2(1)) |
| FOSS developer with a commercial model (monetisation, SaaS, paid services) | In scope as manufacturer |
| OSS steward (foundation/project systematically supporting FOSS for commercial use) | Reduced obligations under Art. 24 |
| Company integrating FOSS in a commercial product | In scope as manufacturer — must manage FOSS components under Annex I Part II obligations |
SBOM and FOSS
The SBOM requirement is particularly relevant to FOSS. Manufacturers must document their top-level dependencies, which frequently include well-known open-source libraries. This enables:
- Rapid assessment of whether a newly discovered vulnerability (e.g. Log4Shell) affects their product
- Due diligence evidence for market surveillance authorities
CRA and FOSS sustainability
Recital 18 acknowledges the importance of FOSS to the EU digital economy and notes that the CRA framework should not discourage the development and publication of FOSS. The OSS steward category and the non-commercial exemption are the two main FOSS-specific accommodations.