The European Commission, in consultation with cybersecurity authorities, has released updated clarifications regarding the regulatory treatment of free and open-source software (FOSS) under the CRA.
The framework explicitly differentiates between commercial manufacturers and "Open Source Stewards"-non-profit foundations or entities providing sustained support for open-source projects. To avoid stifling digital innovation while ensuring ecosystem security, Open Source Stewards are subject to a tailored, light-touch regulatory regime. These entities are required to facilitate security policies and vulnerability handling procedures without bearing the full conformity assessment burden placed on commercial entities.