ORC’s First Whitepaper on Open Source Software Stewards and the Cyber Resilience Act

The adoption of the EU Cyber Resilience Act (CRA) represents a major shift in how cybersecurity responsibilities are defined across the software ecosystem. For the first time, the regulation explicitly recognises Open Source Software Stewards as a distinct category of legal actors, separate from manufacturers, and subject to a tailored set of obligations.

While this recognition is a positive step for open source, it has also raised many practical questions. Foundations, non-profits, and other organisations that steward open source projects have been asking what this new role means in practice, what responsibilities apply, and how they can prepare without undermining the collaborative nature of open source development.

The whitepaper “Open Source Software Stewards and CRA” aims to bridge that gap. Based on a close reading of the CRA’s legal text, it provides a clear, practical overview of what the regulation requires from open source stewards, what it does not require, and where important uncertainties remain. It is not legal advice. Rather, it reflects the collective understanding of contributors actively engaged in open source policy and regulatory discussions.

Produced by the ORC Community

This publication is the first whitepaper produced by the Open Regulatory Compliance (ORC) community. From the outset, the goal was to ensure that this guidance was shaped by real-world open source experience, not theoretical assumptions.

The whitepaper was developed collaboratively by members of the ORC community, drawing on expertise from open source foundations, project leaders, security practitioners, and policy specialists. Working together, contributors analysed the CRA text, debated interpretations, and aligned on guidance that is both accurate and grounded in how open source projects actually operate.

What the Whitepaper Covers

The whitepaper focuses on the areas where stewards most need clarity today:

• Clarifying the Open Source Steward role under the CRA, including how stewards relate to the projects they support and why this new role exists.
• Defining steward obligations, outlining what compliance requirements apply and how they differ from those placed on manufacturers.
• Providing practical examples of how stewards can work with projects to establish cybersecurity policies, manage vulnerabilities, and support coordinated disclosure.
• Explaining interactions with Market Surveillance Authorities, and how these regulatory relationships fit into CRA compliance.
• Describing the two-way relationship with CSIRTs, including how information sharing and coordination are expected to work.
• Highlighting open questions, such as how to determine the appropriate Market Surveillance Authority in complex or cross-border cases, and where further regulatory guidance is still needed.

A Resource for CRA Stewards and Beyond

This whitepaper is intended to be a practical resource for open source stewards navigating the CRA. We also encourage regulators, policymakers, and Market Surveillance Authorities to use it as a reference for understanding how the open source ecosystem functions and how stewardship obligations can be applied proportionately.

We ask the community to share this resource widely with steward organisations, open source projects, legal and compliance teams, and anyone working at the intersection of open source and regulation. Broad awareness and shared understanding are essential to making the CRA work for open source.

What Comes Next

The ORC community has published a broader deliverables plan that includes additional whitepapers and guidance documents focused on CRA implementation and open source compliance. With this first whitepaper successfully completed, we are now ready to kick off additional community-led whitepaper projects.

If you are interested in leading or contributing to a future whitepaper, we would love to hear from you. Community leadership and participation are central to the success of ORC, and new contributors are always welcome.

By developing shared, community-driven guidance, the ORC aims to support consistent, practical implementation of the CRA across the open source ecosystem.