Open-source software steward
A legal person, other than a manufacturer, whose purpose or objective is to systematically provide support on a sustained basis for the development of specific free and open-source software products intended for commercial activities, and who ensures the viability of those products. OSS stewards have a lighter, tailor-made regulatory regime under the CRA.
Source citations
Regulation text
Article 3(14) of Regulation (EU) 2024/2847 defines an open-source software steward as:
"a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products".
Key points
- The OSS steward category is a new concept introduced specifically by the CRA to accommodate foundations and similar organisations that support FOSS development without commercialising products directly
- OSS stewards are not manufacturers — they do not bear the full Art. 13 obligation set
- The tailor-made regime (Art. 24) requires them to: (1) put in place a cybersecurity policy for the project; and (2) cooperate with market surveillance authorities on request
- OSS stewards are subject to vulnerability reporting obligations (Art. 14(1)) to the extent they are involved in development, and incident notification (Art. 14(3)) where incidents affect their network/information systems used for development
- Infringement by OSS stewards is exempt from the penalty framework (Art. 64(10)(b))