To me the Steward role seems like an extension to existing compliance officer/OSPO roles with a focus on sec.
Sharing some hands on ideas, I plan to extend our OSPO roles with the interface description to the existing CySec org (VA teams, PSIRT, Governance structures).
Would like to collect feedback on this idea.
So while I have heard this from others as well - I think it is important to stress that the open source steward is an _extra_ economic actor defined in the CRA legislation with:
“open-source software steward means a legal person, other than a manufacturer, that has the purpose or objective of
systematically providing support on a
sustained basis for the
development of
specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that
ensures the viability of those products;
Art 3, paragraph 18a
So an OSPO would not easily fit this - unless it essentially becomes much like an open source foundation itself & starts to systematically provide support downstream, etc, etc.
However you will then have to show that this is ‘intended for commercial actitivies’ & a range of other requirements that are not easily met if the downstream path stays within the organisation. So I do not think it is the intentional of the CRA to give OSPOs or compliance officers such as steward role. And I also guess that some of it is designed to exactly prevent some of this; as to prevent some commercial company to create an unfair advantage within its own realm (e.g. allow SMEs that host in a certain way to not have to comply with the CRA). Which is obviously the opposite of what is intended.
With kind regards,
Dw