Thanks, Seth.
I can understand why a software producer would be paying careful attending to these EU-CRA obligations if they are categorized as a “manufacturer”, with the strictest obligations – including fines, or as an “open-source software steward” wit ha much lighter touch, but still requires certain obligations under the EU-CRA.
There is an EU-CRA expert group working on cybersecurity. Hopefully this group will provide the clarity software developers need to comply with the EU-CRA.
https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3967
A pure open-source developer seeking no compensation (a true volunteer) seems to be exempt from the EU-CRA obligations, based on my understanding. But, like you said, there is still come uncertainty regarding EU-CRA compliance expectations.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
From: Seth Michael Larson <sethmichaellarson@xxxxxxxxx>
Sent: Thursday, December 19, 2024 11:07 AM
To: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] Maintainer considering removing project due to CRA obligations and uncertainty
I believe from reading the thread it's the combination of:
* Uncertainty around the who, what, and how for conforming the CRA.
* Heavy fines and liability (max 15M Euros)
* This project is already in minimal-maintenance mode due to restricted maintainer time.
* Options for handing off the project (to a foundation? to a new maintainer? (remember the xz-utils backdoor...)) are unclear at this point for the current maintainer.
This scenario is not a rare one, I suspect that many folks are in the same situation but aren't aware of the CRA in any way yet.
Seth,
Did that party identify any specifics regarding the EU-CRA open-source expectations that they are most concerned about?
Business Cyber Guardian is seeking to understand more details about the EU-CRA, specifically we are interested in knowing who/what is considered an “open-source software steward” and what are the obligations of an open-source software steward.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
Hello all, hope you are doing well.
I was shared this example by Jarek Potiuk from Airflow, a case where an open source maintainer is planning to completely remove their project from PyPI due to the CRA uncertainty and obligations. I think this shows how important having a factual, up-to-date, TLDR-style blog post about the current state of affairs would be from our group, especially for open source projects under foundations and those maintained by individuals.