The Open Source Steward — A New CRA Category

The Cyber Resilience Act (CRA) creates an entirely new role in the open source ecosystem: the open source software steward. This role did not exist before the CRA. It is the legislator's answer to a central question: Who takes responsibility for open source software embedded in commercial products — but sold by no one?

What is a steward? #

The definition is in Art. 3 No. 14 CRA: A steward is a legal person that:

• Is not a manufacturer
• Has the purpose of systematically and sustainably supporting the development of specific open source products
• Ensures the viability of these products
• The products are intended for commercial activities

A steward does not sell software. It ensures that open source projects remain secure, maintained, and usable.

What obligations does a steward have? #

The obligations are set out in Art. 24 CRA and are deliberately lighter than the manufacturer obligations:

• Develop and document a cybersecurity strategy (Art. 24(1))
• Promote the voluntary reporting of vulnerabilities (Art. 24(1), Art. 15)
• Document, remediate, and eliminate vulnerabilities (Art. 24(1))
• Promote information exchange on vulnerabilities within the community (Art. 24(1))
• Cooperate with market surveillance authorities upon request (Art. 24(2))
• Report actively exploited vulnerabilities, insofar as the steward is involved in development (Art. 24(3))

Steward vs. manufacturer #

The decisive difference:

• Manufacturers bear the full CRA obligations: CE marking, declaration of conformity, full fines of up to EUR 15 million or 2.5% of annual turnover (Art. 64(2))
• Stewards are subject to reduced obligations and are expressly exempt from fines (Art. 64(10b)). Other financial sanctions are also excluded (Recital 120). In the event of a breach, market surveillance authorities may only require "appropriate corrective measures" (Art. 52(3)).

A steward expressly may not affix the CE marking (Recital 19).

What does the steward role deliver? #

For open source projects:

• Professional vulnerability management without the project itself having to provide the resources
• Access to structured security processes
• Protection from the consequences that arise when a project without a steward is used commercially

For companies that use open source:

• The steward receives vulnerability reports under Art. 24(3) — this can mean a time advantage of weeks to months over public CVE disclosure
• Manufacturers who discover vulnerabilities in stewarded projects must inform the steward and share patches (Art. 13(6))
• The due diligence obligation for FOSS integration (Art. 13(5)) can be demonstrably fulfilled through collaboration with a steward

What does this mean for you? #

If you use open source components in your products, you benefit from these projects being under steward support. If your company operates or supports open source projects, the steward role can protect you from the full manufacturer obligations of the CRA. OTTRIA voluntarily registers as a steward and thereby takes on the operational obligations for supported projects.

Further reading #

• OTTRIA as Open Source Steward
• What is the Cyber Resilience Act?
• Open source has no contractual partner

Want to know how the steward role simplifies your CRA compliance? Arrange a conversation.