Skip to content
You can now search across every topic, entity and event.What's new
European Tech Sovereignty
30JUN

CRA draft pins open-source liability on publishers

3 min read
17:31UTC

The European Commission published draft Cyber Resilience Act open-source guidance on Tuesday 3 March 2026 with consultation closing on Tuesday 31 March, confirming that responsibility for free and open-source software falls on who publishes and controls, not on contributors with commit access.

TechnologyDeveloping
Key takeaway

Maintainer liability is settled at the publisher-control test; donation triggers remain unresolved with the September 2026 reporting clock running.

On Tuesday 3 March 2026, the European Commission published draft implementation guidance for the Cyber Resilience Act (CRA, the EU's binding cybersecurity law covering digital products and software with digital elements) governing how the law applies to free and open-source software 1. Consultation closed on Tuesday 31 March. The guidance establishes that responsibility under the CRA falls on the entity that publishes and controls the software, not on individual contributors who hold commit access.

The CRA reporting clock starts on Friday 11 September 2026 regardless of whether The Commission publishes final guidance before then. The draft closes the contributor-versus-publisher ambiguity Felix Reda, the German digital rights advocate and former MEP, had flagged repeatedly through 2024 and 2025. Hogan Lovells' published analysis of the draft confirms full compliance applies from Saturday 11 December 2027. OpenForum Europe and other open-source advocacy bodies welcomed the publisher-control test as resolving the most acute exposure for individual maintainers.

The grey area that remains is whether financial donations to a project trigger "placed on market" obligations under the CRA. The draft text suggests donations can trigger those obligations where access to essential functionality is conditional on payment. That conditional clause is the file's unresolved question for maintainers operating donation-funded projects with no separation between freely available and donor-tier functionality. The seven-CEO deregulation letter arrived in the same fortnight; the CRA open-source file was not in scope, but the legislative environment is the same. The Commission has not published the final guidance, and no publication date has been announced as of mid-May 2026.

Deep Analysis

In plain English

The Cyber Resilience Act (CRA) is an EU law that will require software sold in Europe to meet minimum security standards; much like toy safety labels or car crash tests, but for software. The CRA creates a problem for open-source software: code that anyone can download freely and modify, written by volunteers who are not paid. The guidance published in March clarifies two things. First, if you publish and control an open-source project, you are responsible for its security, not every individual who has ever contributed code. Second, if your project receives regular financial donations (through crowdfunding or sponsorship platforms), you may count as a commercial entity and lose some of the open-source exemptions. For software developers in Europe, this means they need to track who funds their projects and whether that funding crosses a compliance threshold.

Deep Analysis
Root Causes

The CRA's open-source liability ambiguity was an unintended product of the legislation's history: the original 2022 Commission proposal focused on IoT hardware and commercial software, and the open-source carve-out was added by the European Parliament during trilogue in 2023 without a detailed definition of who fell within the carve-out.

The carve-out's wording; 'freely available software, not in the course of a commercial activity'; was drafted by MEPs without input from open-source foundations, who only engaged fully after the text was finalised.

Felix Reda, the former MEP and open-source advocate, had flagged the contributor-vs-publisher ambiguity publicly from the first published draft, but his interventions during the passage of the legislation were unsuccessful in securing a clearer text. The March 2026 guidance is the belated administrative response to that unresolved legislative gap.

What could happen next?
  • Risk

    The donation-triggers-liability ambiguity may cause GitHub Sponsors and Open Collective to implement EU geo-restrictions on donation features before 11 September 2026, drying up funding for European open-source maintainers at the moment CRA compliance investment is highest.

    Immediate · 0.55
  • Precedent

    The publisher-not-contributor liability rule will become the reference point for all subsequent EU digital product-safety legislation applied to software, including potential extensions of the AI Act to open-weight AI models.

    Long term · 0.7
  • Consequence

    The 11 September 2026 CRA reporting deadline applies regardless of whether the Commission publishes final guidance, meaning open-source publishers must begin compliance preparations under the draft guidance framework with no guarantee that the final rules will match.

    Immediate · 0.85
First Reported In

Update #5 · Brussels' 27 May package, two days before G7

Sovereign Tech Agency· 17 May 2026
Read original
Causes and effects
This Event
CRA draft pins open-source liability on publishers
Resolves the contributor-versus-publisher ambiguity Felix Reda flagged, though the financial-donations grey area remains live before reporting obligations begin on 11 September 2026.
Different Perspectives
United States (Google/Alphabet)
United States (Google/Alphabet)
Alphabet lost its final Android appeal on 2 July with no further court to hear it, a result its Computer and Communications Industry Association allies frame as precedent, not deterrence, since the €4.1bn fine changed nothing about Google's Play Store terms across eight years of litigation.
UK Department for Science, Innovation and Technology
UK Department for Science, Innovation and Technology
DSIT opened its £96m second Sovereign AI wave on 3 July, switching from April's equity stakes to fixed-price contracts because Britain has no domestic hyperscaler or Bpifrance-style lender to fund capacity another way. It is betting on buying outcomes it controls alone rather than joining an EU-wide framework.
German federal government
German federal government
Berlin backed both German deliverables this week, Infineon's fab and Aleph Alpha's merger, but is finding one far harder to close than the other. It wants enforceable protective rights inside Cohere's cap table before the merger closes, a legal instrument the Bundeskartellamt has no filing to review yet.
European Commission
European Commission
The Commission banked a clean CJEU win on the eight-year Android case on 2 July, removing Google's last comparator argument before President von der Leyen rules on the far larger DMA self-preferencing fine due 27 July. Brussels treats Infineon's early Dresden delivery as proof the Chips Act mechanism works, at the node Europe already led.
Bruegel (EU industry sceptics)
Bruegel (EU industry sceptics)
Bruegel economist Mario Mariniello argued the EU sovereignty package mimics US and Chinese strategy while EU cloud providers hold roughly 15% of their home market; using nationality as a proxy for security without fixing the underlying capital and energy gaps that drive the dependency creates €86bn of migration cost without the security benefit it is sold as delivering.
France
France
France published a joint sovereignty definition with Germany at VivaTech and mobilised €13bn under Tibi Phase 3, placing SAP's partnership with Mistral as the working proof that a German enterprise-software giant running a French sovereign model inside public administration is what digital sovereignty looks like in practice.