Skip to main content

Understanding Open Source Stewards and the Cyber Resilience Act

By Marta Rybczynska

The “Open Source Stewards and the Cyber Resilience Act” white paper explores a new role introduced by the EU Cyber Resilience Act (CRA): the open source steward. This is a newly introduced actor that doesn’t fit neatly into the existing categories of manufacturers or distributors but still carries specific obligations under the CRA.

Open source stewards are organisations, such as foundations, non-profits, or companies, that support open source projects without directly commercialising them. Because this role has never been formally defined before, there are many questions about what responsibilities stewards have and how those responsibilities interact with open source development practices.

This white paper aims to bring clarity to the topic. It outlines what open source stewards need to understand about their obligations, what processes may need to evolve, and where more discussion is needed.

Why This Whitepaper Is Needed

The CRA was written with traditional manufacturing and software supply chains in mind, not the collaborative, decentralised nature of open source.

The addition of the “Open Source Software Steward” role came after long discussions between legislators and the open source community. It is a step forward, but it is not always clear how the reality of software development can fit the requirements.

For example, in its current form, the legislation assumes a model where the steward imposes policies on a project. In reality, many open source projects create and maintain their own security policies, with stewards providing coordination and infrastructure rather than direction. Another example is the definition of the security policy, which under the CRA includes different elements than what projects had established and used for years.

Through community discussions, it became clear that such cases require explanation and an attempt to find a process that will both satisfy legal requirements and the typical workflows. The white paper is meant to:

It’s both a practical reference for today’s stewards and a reference point for regulators as they interpret and implement the law.

What We’ve Done So Far

The work began with an empty file and the goal of mapping every article of the CRA that references open source stewards. From there, the group identified a series of key topics that needed attention, including security policy, integration with CSIRTs and notified bodies, and the handling of voluntary and mandatory vulnerability notifications.

As of now, the group has produced a first draft of the white paper, which is open for community review. Everyone interested in the topic is invited to read and provide feedback.

How to Get Involved

If you have about 15 minutes, that’s all it takes to read the document and share your thoughts. You can comment directly via:

The goal is to finalise the white paper by November 30, 2025, with all feedback submitted by November 20.

We’re also actively looking for additional resources or references about open source stewardship. If you know of relevant studies, papers, or examples, please share them so that we can build a more comprehensive picture and ensure the community speaks with one clear voice.

After this review round, the group plans to incorporate community input, polish the text, and publish the final version. Future updates may follow once open questions are resolved.

If you’re new to the topic, this is an excellent time to get involved. Whether you’re part of an open source project, a steward organisation, or a manufacturer working with open source software, your insights can help shape how the CRA is interpreted and implemented in practice.

Back to the top