Maintainer Month Recap: What the CRA Means for You

Last month we teamed up with GitHub to host “The Cyber Resilience Act and Open Source: What Maintainers Really Need to Know.” The one-hour panel zeroed in on the top worries we hear from open source project maintainers and contributors. Below is a recap—and, more importantly, where you’ll find the detailed answers in the ORC working group’s CRA FAQ.

1. “Does the CRA actually apply to my project?”

The panel’s first takeaway was simple: most volunteer-run FOSS projects are not manufacturers under the law. If you just publish code on GitHub, chances are you’re out of scope. The CRA only kicks in when software is shipped as part of a “product with digital elements.” For the fine print—including the edge-cases the speakers walked through—see “Am I subject to the CRA?” in the FAQ.

2. “What happens if I accept donations or sponsorships?”

A second hot topic was whether a project starts looking like a manufacturer once money changes hands. The consensus: taking GitHub Sponsors or ad-hoc donations does not, by itself, turn you into a CRA manufacturer or steward. The law focuses on commercial placement of products, not community fundraising. Check the FAQ entry on monetising open source projects for the nuances.

3. “Will I be fined if something goes wrong?”

Finally, the panel addressed the elephant in the room: penalties. Under the current text, liability sits with the entity that places the product on the EU market. Maintainers therefore face no fines unless they also meet the definition of a manufacturer or steward. Even so, the panel urged projects to document their release process and spell out who does what. For the full breakdown, see the FAQ section on penalties for maintainers.

Still Curious? Check the CRA FAQ

We ran out of time before we could tackle every audience question, but many of them are already answered in the working group’s living CRA FAQ. Here are three good examples:

• “How can a commercial producer keep track of all the indirect dependencies pulled in by package managers?” The discussion “What do I need to do about my dependencies?” covers this topic.
• “What exactly qualifies as a ‘Product with Digital Elements’ under the CRA?” The answer under “What kinds of products are regulated by the CRA?” may help provide some clarity.
• “Where does the CRA overlap with the proposed Product Liability Directive (PLD)?” See the open discussion “How do I respond to a legal challenge?”

You’ll find these answers—and many more in progress—inside the ORC CRA FAQ. If your question isn’t covered yet, open an issue or add a comment so the community can tackle it together.

Keep Learning & Stay Involved

The CRA is evolving, and so is the guidance. Bookmark the full CRA FAQ and drop your questions—or pull requests—there. If you missed the live stream, you can watch the replay anytime on YouTube.

Open discussion is how we protect open source. Let’s keep the conversation going.