10JUN

CRA draft pins open-source liability on publishers

3 min read

10:31UTC

The European Commission published draft Cyber Resilience Act open-source guidance on Tuesday 3 March 2026 with consultation closing on Tuesday 31 March, confirming that responsibility for free and open-source software falls on who publishes and controls, not on contributors with commit access.

← Back to Sovereignty law adopted; $40bn US chip buy Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Maintainer liability is settled at the publisher-control test; donation triggers remain unresolved with the September 2026 reporting clock running.

On Tuesday 3 March 2026, the European Commission published draft implementation guidance for the Cyber Resilience Act (CRA, the EU's binding cybersecurity law covering digital products and software with digital elements) governing how the law applies to free and open-source software ¹. Consultation closed on Tuesday 31 March. The guidance establishes that responsibility under the CRA falls on the entity that publishes and controls the software, not on individual contributors who hold commit access.

The CRA reporting clock starts on Friday 11 September 2026 regardless of whether the Commission publishes final guidance before then. The draft closes the contributor-versus-publisher ambiguity Felix Reda, the German digital rights advocate and former MEP, had flagged repeatedly through 2024 and 2025. Hogan Lovells' published analysis of the draft confirms full compliance applies from Saturday 11 December 2027. OpenForum Europe and other open-source advocacy bodies welcomed the publisher-control test as resolving the most acute exposure for individual maintainers.

The grey area that remains is whether financial donations to a project trigger "placed on market" obligations under the CRA. The draft text suggests donations can trigger those obligations where access to essential functionality is conditional on payment. That conditional clause is the file's unresolved question for maintainers operating donation-funded projects with no separation between freely available and donor-tier functionality. The seven-CEO deregulation letter arrived in the same fortnight; the CRA open-source file was not in scope, but the legislative environment is the same. the Commission has not published the final guidance, and no publication date has been announced as of mid-May 2026.

Deep Analysis

In plain English

The Cyber Resilience Act (CRA) is an EU law that will require software sold in Europe to meet minimum security standards; much like toy safety labels or car crash tests, but for software. The CRA creates a problem for open-source software: code that anyone can download freely and modify, written by volunteers who are not paid. The guidance published in March clarifies two things. First, if you publish and control an open-source project, you are responsible for its security, not every individual who has ever contributed code. Second, if your project receives regular financial donations (through crowdfunding or sponsorship platforms), you may count as a commercial entity and lose some of the open-source exemptions. For software developers in Europe, this means they need to track who funds their projects and whether that funding crosses a compliance threshold.

Deep Analysis

Root Causes

The CRA's open-source liability ambiguity was an unintended product of the legislation's history: the original 2022 Commission proposal focused on IoT hardware and commercial software, and the open-source carve-out was added by the European Parliament during trilogue in 2023 without a detailed definition of who fell within the carve-out.

The carve-out's wording; 'freely available software, not in the course of a commercial activity'; was drafted by MEPs without input from open-source foundations, who only engaged fully after the text was finalised.

Felix Reda, the former MEP and open-source advocate, had flagged the contributor-vs-publisher ambiguity publicly from the first published draft, but his interventions during the passage of the legislation were unsuccessful in securing a clearer text. The March 2026 guidance is the belated administrative response to that unresolved legislative gap.

What could happen next?

Risk
The donation-triggers-liability ambiguity may cause GitHub Sponsors and Open Collective to implement EU geo-restrictions on donation features before 11 September 2026, drying up funding for European open-source maintainers at the moment CRA compliance investment is highest.
Immediate · 0.55
Precedent
The publisher-not-contributor liability rule will become the reference point for all subsequent EU digital product-safety legislation applied to software, including potential extensions of the AI Act to open-weight AI models.
Long term · 0.7
Consequence
The 11 September 2026 CRA reporting deadline applies regardless of whether the Commission publishes final guidance, meaning open-source publishers must begin compliance preparations under the draft guidance framework with no guarantee that the final rules will match.
Immediate · 0.85

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The EU's Product Liability Directive (PLD), updated in 2024, resolved a comparable publisher-vs-contributor ambiguity in software by adopting a 'placing on market' test: the entity that makes a product commercially available bears liability, not the original developer.

The CRA guidance is applying the same framework, which suggests consistency of EU product-safety doctrine but also that the Commission expects open-source developers to become aware of and manage European PLD obligations, a compliance literacy most open-source maintainers lack.

Counter-parallel: The US Computer Fraud and Abuse Act's liability framework has never applied to open-source contributors for vulnerabilities in their code, because US law treats CFAA liability as requiring intent. The EU's strict-liability product-safety model, applied to open-source via the CRA, is therefore a genuinely novel legal framework with no US analogue; and no established compliance practice that European developers can borrow from.

Consensus view: Hogan Lovells' Brussels technology practice and the Linux Foundation Europe both assess the publisher-not-contributor rule as the most important clarity the guidance provides: the original CRA text left ambiguous whether any person with write access to a repository incurred product liability, which had created a chilling effect on developer participation in European open-source projects.

Counter-view: Open Source Initiative (OSI) director Stefano Maffulli argued in a March 2026 blog post that the donation-triggers-liability provision remains the most commercially damaging ambiguity, because it would classify GitHub Sponsors, Open Collective, and similar developer-funding platforms as potential compliance vectors, with the effect of drying up small-maintainer funding just as the CRA demands more security investment from those same maintainers.

Key tension: Whether the Commission will clarify the donation threshold (a single €1 donation vs a sustained funding relationship) before the 11 September 2026 reporting deadline, or whether the draft guidance becomes de facto final through inaction.

Sources:Sovereign Tech Agency

Mentions:OpenForum Europe →European Commission →Cyber Resilience Act →Felix Reda →Brussels →Linux Foundation Europe →Hogan Lovells →

First Reported In

Update #5 · Brussels' 27 May package, two days before G7

Sovereign Tech Agency· 17 May 2026

Read original →

Causes and effects

This Event

CRA draft pins open-source liability on publishers

Resolves the contributor-versus-publisher ambiguity Felix Reda flagged, though the financial-donations grey area remains live before reporting obligations begin on 11 September 2026.

Led to

EU backs open source with €2bn plan

CRA open-source guidance (ID:3375) prepared the ground for the EU Open Source Strategy's free-software procurement mandate.

Occurred 3 Jun 2026

Read story →

Different Perspectives

European cloud and open-source industry

European cloud providers gain a binding procurement mandate from CADA, confirmed by Gartner's $12.6bn sovereign-cloud figure for 2026. The $40bn Pax Silica commitment signals Brussels will not extend sovereignty discipline to the silicon layer, and the missing €350m Sovereign Tech Fund leaves open-source maintenance infrastructure unfunded beneath those same clouds.

United Kingdom

Science Secretary Kendall's £1.1bn Hardware Plan on 8 June chose demand-side instruments, advancing £150m to British chip startups via the British Business Bank, where Brussels chose supply-side alliance membership. Britain joined Pax Silica before the EU and has no collective EU procurement leverage; the Hardware Plan is the bilateral answer to the same silicon gap.

United States

Pax Silica, a State Department initiative launched in December 2025, secured EU membership the same afternoon Brussels adopted its cloud sovereignty law. Ambassador Puzder had named CADA a red line against the EU-US trade framework; the narrowed CADA scope and the $40bn chip commitment together represent the settlement Washington sought.

France

France was the only EU state to oppose Pax Silica accession at COREPER on 3 June, asking the Commission to clarify the Council's steering role inside the alliance. Paris backed CADA and hosts Mistral AI; a $40bn US-chip commitment contractually narrows the commercial space for the sovereign AI model that France is trying to scale.

European Commission

Von der Leyen framed CADA on 3 June as keeping 'most of our market open to like-minded partners', and the Commission's EVP Virkkunen simultaneously required majority-European ownership for the €4.12bn AI Gigafactories call. Brussels is managing rather than resolving the silicon dependency by asserting regulatory control at the cloud layer while formalising the chip relationship through Pax Silica.

European Central Bank

The ECB's digital euro pilot drew more than 50 PSP applications and is naming 10 to 30 participants in July, advancing on its own monetary mandate without requiring a Commission act. Its trajectory this week is the inverse of CAIDA's: the sovereignty instrument that restricts no US firm is the only one keeping its published calendar.