← Back to Blogregulation

The CRA and Open Source Software: What's Exempt?

The CRA includes an exemption for open source software developed outside a commercial activity — but the boundaries are narrower than many developers assume. This post explains exactly what is and is not exempt.

CRAReady Team·

The Open Source Debate

When the CRA was first proposed, open source communities raised significant concerns. Would developers of free, volunteer-maintained libraries be required to comply with CE marking requirements? The final regulation includes a carefully worded exemption, but it is narrower than many hoped.

What the CRA Actually Says

Recital 18 and Article 3 of the CRA state that software supplied as free and open source software to the market and not as part of a commercial activity falls outside scope. The key criterion is whether there is a commercial activity involved.

The regulation explicitly states that open source software is not outside scope merely because it is free of charge. The question is whether the supplier is engaged in a commercial activity — which includes:

  • Selling paid support or services around the software
  • Offering a hosted (SaaS) version commercially
  • Integrating the open source component into a commercial product
  • Receiving substantial financial sponsorship for development and distribution

What Is Exempt

Genuine volunteer-developed, freely distributed software with no commercial activity attached is outside the CRA's scope. The typical example is a developer maintaining a personal open source project on GitHub with no sponsorship, no paid support, and no commercial integration.

What Is NOT Exempt

  • A company that develops open source software as part of its core commercial offering (e.g., HashiCorp, Elastic) is a manufacturer under the CRA
  • An open source component that is bundled into a commercial product — the product manufacturer bears the obligations for that component
  • SaaS platforms that have an open source client component — the client component makes the overall offering a PDE
  • Open source software developed by an employee as part of their paid employment

The "Steward" Concept

The CRA introduces a new concept: the open source software steward. Organisations that systematically provide open source software in a commercial context (foundations, hosting platforms) may be treated as stewards with lighter obligations than full manufacturers — specifically, they must have a security policy and cooperate with vulnerability disclosure, but are not required to conduct full conformity assessments.

Practical Guidance for Open Source Maintainers

If you maintain an open source project:

  • Assess whether your project attracts commercial sponsorship, paid support, or downstream commercial use
  • If commercial activity is present, evaluate whether CRA obligations apply to you as a manufacturer
  • If your software is used by others in commercial products, communicate clearly about your vulnerability disclosure process and SBOM availability — downstream manufacturers will need this for their own compliance

Ready to assess your CRA compliance obligations?

Try the Free Applicability Checker