For Foundations and Large-Scale Projects

The Cyber Resilience Act affects you too — whether you want it to or not. #

With the Cyber Resilience Act (CRA), the EU has introduced a new role: the "open source software steward". This role concerns legal persons that systematically and sustainably support the development of free software — in other words, exactly what foundations do.

The problem: many foundations cannot or do not want to take on the associated obligations. They operate internationally, often under US law, with limited resources and without a European legal department. Nonetheless, they may qualify as a steward under the CRA as soon as the projects they support are used for commercial purposes in the EU.

What the CRA requires of stewards #

The CRA obliges open source software stewards to a range of measures (Art. 24 CRA):

• Develop and make public a documented cybersecurity strategy
• Promote the documentation, remediation, and elimination of vulnerabilities
• Support information exchange on vulnerabilities within the community
• Promote the voluntary reporting of vulnerabilities
• Cooperate with market surveillance authorities and submit documentation upon request
• Report actively exploited vulnerabilities and severe security incidents
• Submit documentation upon request of the market surveillance authority in a language easily understood by that authority — which in practice means: in the national language of the respective authority
• Report early warnings to authorities within 24 hours and inform affected users early about vulnerabilities and security incidents

These obligations apply as soon as a project is intended for commercial activities — and that applies to most foundation projects.

The time zone problem further exacerbates the situation: many foundations operate across numerous time zones, with maintainers in the USA, Europe, and Asia. Meeting a 24-hour reporting deadline when the responsible maintainer is asleep and the authority operates in a different time zone is an organisational challenge that requires professional processes.

How OTTRIA provides relief #

More than one steward is possible #

An important point: the steward role is not exclusive. There can be more than one steward for a project. If a foundation wants to be a steward itself or qualifies as one due to its role, this does not preclude OTTRIA from also acting as steward for the same project. On the contrary: OTTRIA can specifically relieve the foundation of the European obligations while the foundation maintains its global role.

A contract with OTTRIA relieves steward obligations #

When OTTRIA takes over the steward role for a project, the obligations under Art. 24 CRA pass to OTTRIA. The foundation does not need to register itself as a steward or build the associated processes.

This means:

• OTTRIA develops and documents the cybersecurity strategy for the project
• OTTRIA takes over vulnerability management and reporting obligations
• OTTRIA cooperates with European market surveillance authorities
• OTTRIA provides the required documentation

No foreign law, no foreign language #

The CRA is an EU Regulation. Authorities communicate in German, French, or other EU official languages. The legal requirements are based on European law.

For a foundation based in the USA or another non-EU jurisdiction, this means: you would need to engage with a legal system that is not yours, in a language that is not yours. OTTRIA takes this over. We are a European company based in Germany and work directly with the competent authorities.

CRA compatibility without forks #

OTTRIA works in the existing project — not in a fork. All contributions, patches, and reviews flow back into the original repository. The project's governance remains with the foundation. OTTRIA acts as a service provider, not a competitor.

The pressure does not come only from the CRA #

The steward obligations under the CRA are only part of the equation. The actual pressure arises from the users of your projects:

• DORA-regulated financial institutions must conduct open source analyses (Art. 25(1) DORA) and manage all ICT third-party risks (Art. 28(1-3) DORA). They will treat your foundation as a point of contact — with compliance requirements designed for enterprise SLAs.
• NIS2 operators must assess the security processes of all suppliers (Art. 21(2)(d) NIS2), including measures reflecting the state of the art (Art. 21(3) NIS2). Foundations are also considered suppliers.
• Manufacturers under the CRA must demonstrate due diligence when integrating open source components (Art. 13(5) CRA) and report discovered vulnerabilities to the steward (Art. 13(6) CRA). Without a clear point of contact, this burden falls on the foundation.
• Product liability further intensifies the situation: when an open source component causes damage, injured parties look for those responsible — and foundations are more visible than individual maintainers.

This regulatory pressure flows upstream. OTTRIA absorbs it: as a European point of contact that handles enterprise enquiries, takes over authority communication, and delivers the evidence your users need.

Additional support #

Beyond the steward role, OTTRIA offers foundations and large-scale projects further operational support:

• Security audits and code reviews of supported projects
• Quality assurance through extended test suites and regression tests
• Release management support for security-relevant releases
• Vulnerability disclosure coordination — we coordinate the responsible disclosure of vulnerabilities
• Documentation for manufacturers who use your software in their products

What this means for manufacturers #

Companies that use a foundation's software also benefit. When OTTRIA acts as steward for a foundation project, manufacturers receive:

• Faster information about vulnerabilities
• Professional vulnerability management
• Documentation that supports their own due diligence obligation under Art. 13(5) CRA
• A concrete point of contact in the EU

The voluntary security attestation under Art. 25 CRA can facilitate manufacturers' integration of open source components — a further advantage of professional steward support.

What the steward role requires #

The steward obligations under Art. 24 CRA are substantial: documented cybersecurity strategy, active vulnerability management, reporting obligations within 24 hours, cooperation with market surveillance authorities in the respective national language. Market surveillance authorities can require corrective measures (Art. 52(3) CRA). OTTRIA takes over these obligations with the professional processes they require.

You represent a foundation or a large-scale project and would like to discuss stewardship? Contact us for a no-obligation conversation.