PersonDE

Felix Reda

German digital rights and open-source advocate, former MEP, known for work on copyright and now Cyber Resilience Act open-source liability.

Last refreshed: 17 May 2026 · Appears in 1 active topic

Key Question

Does the EU's CRA guidance actually protect volunteer open-source maintainers or just large publishers?

Timeline for Felix Reda

#53 Mar

CRA draft pins open-source liability on publishers

European Tech Sovereignty

View full timeline →

Follow European Tech Sovereignty →

Common Questions

What does the EU Cyber Resilience Act mean for open-source developers?: The CRA places liability on whoever publishes and controls software, not on contributors. Solo maintainers and small projects face a lighter touch, but financial donors may trigger 'placed on market' obligations from September 2026.Source: European Commission CRA draft guidance, March 2026
Who is Felix Reda and what does he do at GitHub?: Felix Reda is GitHub's Director of Developer Policy, a former German MEP who works with the European Commission on open-source policy, including the CRA guidance shaping compliance rules for hundreds of thousands of developers.
Why does the EU Cyber Resilience Act worry open-source maintainers?: Maintainers fear being classified as 'manufacturers' with full compliance obligations if they accept donations or corporate sponsorships, even if they are volunteers with no commercial intent. Reda's work on the guidance aims to narrow that risk.Source: Open Regulatory Compliance Working Group

Background

Felix Reda is Director of Developer Policy at GitHub and one of the most consequential voices in European open-source regulation. In 2026, he is centrally involved in the European Commission's draft guidance on the Cyber Resilience Act, which confirmed on 3 March 2026 that CRA liability falls on those who publish and control software, not mere contributors. Reda has worked to ensure that rule applies proportionately to solo maintainers and small projects that lack legal resources.

Reda served as a Member of the European Parliament for Germany's Pirate Party from 2014 to 2019, where he authored the landmark 2015 copyright report and successfully lobbied for the EU-FOSSA open-source security audit programme after the Heartbleed vulnerability. Since joining GitHub he has operated at the intersection of Brussels policy-making and developer community advocacy, with copyright, freedom of expression, and open-source sustainability as his core brief.

His significance extends beyond the CRA: Reda has shaped how the EU frames open-source as public infrastructure rather than commercial software, a framing now embedded in the Sovereign Tech Agency model and the Commission's Digital Europe funding calls. With CRA vulnerability reporting obligations applying from September 2026, his guidance work directly determines compliance burden for hundreds of thousands of European developers.

How the World Sees Them

US tech industry

GitHub's institutional presence through Reda gives US interests a credible voice in EU regulation without appearing as corporate lobbying.

German government

Aligns with Sovereign Tech Agency philosophy that open-source is public infrastructure requiring state support, not just market goods.

European Commission

Treats Reda as a key civil-society interlocutor on CRA open-source guidance; his framing of 'publisher liability' anchors the draft text.

Open-source community

Depends on Reda to translate Brussels process into actionable guidance; solo maintainers lack independent legal access.