Anmelden
Addressing your questions about the Cyber Resilience Act
Addressing your questions about the Cyber Resilience Act
The Cyber Resilience Act has been in force for over a year. However, there are still uncertainties and recurring questions. During FOSDEM 2026, the FSFE held a Q&A session on this topic together with a representative of the German market surveillance authority and the European Commission.
One question, that we also explored in a survey, is the role of the steward. People are still unsure whether and under what circumstances they should or want to become a steward. One part of the question is relatively easy to answer: no one has to become a steward. The Cyber Resilience Act (CRA) is a product regulation that aims to place obligations on manufacturers. As long as you are not a manufacturer and your software is not incorporated into a product, the CRA does not apply to you. It becomes more complex if you develop Free Software that is used in products. In this case, the manufacturer must ensure that they can fulfil the obligations under the CRA. If the manufacturer decides to use your project, you may consider whether you would like to become a steward. If you do not want to become a steward, the manufacturer should look for alternatives or, for example, fork your project so that they can fulfil the obligations under the CRA. However, they cannot force you to become a steward.
This gives you the opportunity to work with the manufacturer and be compensated for working on your Free Software.
Besides the option of becoming a steward, there is also the option of attestation (Art. 25 CRA). In order to facilitate the due diligence obligation, voluntary security attestation programmes could be established. This could also be an interesting option for you to help ensure the maintenance of your software is sustained in the long run. There is still uncertainty about attestation, which is to be clarified by a delegated act of the European Commission. For this purpose, we have launched another survey, and you are welcome to participate by 28 February 2026, midnight AoE. to contribute your ideas and suggestions.
We will evaluate the results and make them available to decision-makers and relevant stakeholders, incorporating them into the process. Here, too, we will focus our efforts on ensuring that Free Software contributors and small projects are protected and supported.
Resources:
