Translations:Cyber Resilience Act (CRA)/24/en

The definition allows only limited classification based on objective criteria by external parties. Thus, qualification will likely depend on whether the legal entity internally adopts an open-source stewardship role for a product. According to Art 25, the Commission may issue security certifications for open-source software through delegated acts; as of October 2024, no details are known. Art 9 CRA provides that the "Open Source Community" must be consulted by the Commission as a stakeholder during the implementation of the regulation. Therefore, besides the economic benefits of stewardship, concrete opportunities for shaping the framework are also guaranteed.