Scenario: does the CRA apply to your OSS?
Walk the open-source exemptions and the steward-vs-manufacturer line to a clear yes or no.
Does the CRA even apply to your open-source project? Walk the exemptions — non-commercial activity, steward versus manufacturer — to a clear, defensible answer.
The CRA sent a wave of worry through open source: does releasing a library make you a regulated manufacturer? For most genuine open-source projects the answer is no — but the line is about commercial activity and role, not the licence.
The questions that decide it
The roles the CRA draws
- Non-commercial open source. A project not developed as a commercial activity falls outside the manufacturer obligations.
- Open-source steward. A foundation or entity that supports a project used in commercial products carries lighter, tailored duties — a cybersecurity policy and cooperation with authorities — not the full manufacturer burden.
- Manufacturer. The moment you integrate that component into a product you sell or monetise, the obligations attach to you, the manufacturer — not to the upstream volunteers.
The answer for this project
A volunteer library with no commercial activity behind it is exempt from the manufacturer requirements. The obligation lives with whoever ships it inside a commercial product — so the honest move is to help them: publish a security policy and coordinate disclosure, even where the law doesn't compel it.
The CRA doesn't tax open source for existing. It follows the commercial activity — the exemption is real, and knowing which role you hold is how you claim it.
Proofwright helps stewards and manufacturers alike carry the duties that actually land on them.
It's live.
See the real thing at Proofwright.