← CRA Glossary
CRA Regulatory

Open Source Steward

An Open Source Steward is a legal entity that systematically provides non-commercial support for open source software components used in products with digital elements. The CRA introduces a specific, lighter regulatory category for Open Source Stewards — they are not treated as manufacturers but have limited obligations to support coordinated vulnerability disclosure.

An Open Source Steward is a legal entity that systematically provides non-commercial support for open source software components used in products with digital elements. The CRA introduces a specific, lighter regulatory category for Open Source Stewards — they are not treated as manufacturers but have limited obligations to support coordinated vulnerability disclosure.

CRA Regulatory
Free CVD portal →

What Is an Open Source Steward Under the CRA?

The EU Cyber Resilience Act introduces the category of 'Open Source Steward' to address the reality that much of the software infrastructure underlying commercial digital products is developed and maintained by non-commercial foundations, projects, and individuals. An Open Source Steward is a legal entity (such as a foundation or non-profit) that provides systematic support for the development of open source software intended for commercial use — but does not itself place products on the market for commercial purposes. The CRA explicitly excludes Open Source Stewards from the full range of manufacturer obligations. They are not required to perform conformity assessments, issue declarations of conformity, or affix CE marks. This was a significant concession made after open source community pushback during the CRA legislative process.

CRA reference:Article 3(14), Recital 19

What Obligations Do Open Source Stewards Have?

While Open Source Stewards are exempt from most CRA manufacturer obligations, they are not entirely unregulated. The CRA requires Open Source Stewards to:

  1. Establish and maintain a CVD policy — making it possible for security researchers and users to report vulnerabilities in the software they steward.
  2. Cooperate with market surveillance authorities — providing information relevant to the security of their software when requested.
  3. Notify ENISA of actively exploited vulnerabilities in their software components when they become aware of them.

These lightweight obligations reflect the CRA's recognition that open source stewards play a critical role in the software supply chain and need to participate in the EU's vulnerability management ecosystem, even if they are not commercial manufacturers.

CRA reference:Article 3(14), Article 24

The Open Source Steward Category in Practice

Major Linux distributions, package repositories like Apache Software Foundation, and foundations like the Eclipse Foundation and OpenSSF are the primary intended beneficiaries of the Open Source Steward category. These organisations maintain critical infrastructure software used in millions of commercial products but are not themselves placing products on the EU market. The category ensures they have a defined, proportionate regulatory status rather than being inadvertently classified as manufacturers. For commercial companies that both contribute to open source projects and manufacture products (a common pattern), the CRA requires careful organisational separation: the commercial product manufacturing activities are subject to full CRA obligations, while any separate non-commercial open source project support activities may qualify for the Open Source Steward classification.

CRA reference:Recital 19

Implications for Manufacturers Using Open Source Components

The existence of the Open Source Steward category does not reduce commercial manufacturers' obligations with respect to the open source components they incorporate in their products. Manufacturers remain fully responsible for ensuring that all components in their products — including open source ones — meet the CRA's essential requirements when integrated into the finished product. The CRA explicitly states that integrating an open source component into a commercial product does not transfer liability to the component's steward. This makes SBOM maintenance, continuous vulnerability monitoring of dependencies, and rapid response to upstream vulnerability disclosures essential practices for any manufacturer using open source components.

CVD Portal makes Open Source Steward compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does the Linux Foundation qualify as an Open Source Steward under the CRA?+

The Linux Foundation and similar foundations are the primary intended beneficiaries of the Open Source Steward category. However, formal qualification depends on the specific activities of each entity and project. An entity must systematically and non-commercially support open source software for the category to apply. Foundations with significant commercial membership funding may need to analyse their specific activities carefully to determine whether the Open Source Steward classification applies to each of their projects.

If I use a component maintained by an Open Source Steward, am I responsible for its security?+

Yes. As the commercial manufacturer of the finished product, you are responsible for ensuring all incorporated components meet the CRA's essential requirements. You cannot delegate this responsibility to the Open Source Steward. You must monitor the steward's security advisories, maintain a current SBOM that includes the component, and patch vulnerabilities in the component when they are disclosed. The Open Source Steward's CVD policy makes it easier for you to learn about vulnerabilities — but acting on them is your obligation.

Can a company that sells commercial support for open source software be an Open Source Steward?+

This is a grey area. The Open Source Steward category is explicitly for non-commercial support. A company that derives revenue from supporting or distributing an open source project may be treated as a manufacturer rather than a steward if that support constitutes placing products on the EU market for commercial purposes. Dual-licensing models (open source community edition + commercial edition) require careful analysis to determine which CRA category applies to which activities.

Related terms

EU Cyber Resilience Act (CRA)The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.Open Source ComponentAn open source component is software made available under an open source licence that is incorporated into a product. CRA manufacturers are fully responsible for the security of open source components in their products — the open source origin does not transfer liability to the component's maintainers.Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day Obligations

Browse the full CRA Compliance Checklist

See how Open Source Steward fits into your complete CRA compliance programme.

View checklists →