Art. 3(14)An open-source software steward is any legal person who provides systematic support for the development of a free and open-source software product, the intended use of which can reasonably be expected to be commercial.
11 December 2024 — CRA enters into force
The regulation is legally in effect. Products placed on the market from this date must comply with CRA once the application dates are reached.
11 September 2026 — Vulnerability reporting obligations apply
Article 14 vulnerability and incident reporting to ENISA becomes mandatory. This is the first hard deadline. Manufacturers must have their reporting processes in place before this date.
11 June 2027 — Conformity assessment body notification
Member States must notify conformity assessment bodies to the Commission.
11 December 2027 — Full regulation applies
All CRA requirements apply to all in-scope products. No new products may be placed on the EU market that do not conform.
All economic operators must be able to identify, on request from market surveillance authorities, (a) any economic operator who supplied them with a product, and (b) any economic operator to whom they supplied a product. Records must be maintainable for 10 years from each transaction.
Open-source software stewards must put in place and document a cybersecurity policy that fosters the development of a secure product and enables effective handling of vulnerabilities in the open-source software components they support.
Open-source software stewards must notify the relevant CSIRT (computer security incident response team) designated as coordinator without undue delay of any actively exploited vulnerability contained in their open-source software components, as well as any severe incident affecting the security of those components.
Open-source software stewards must cooperate with market surveillance authorities upon request and provide all information required for the performance of their regulatory tasks.
Upon request from market surveillance authorities, open-source software stewards must draw up and keep up-to-date technical documentation for the open-source software components they administer, sufficient to allow assessment of cybersecurity compliance.
Explore the full obligations library, understand your role, or view the regulatory timeline.