Is my product in scope? / Open-source library
Open-source software and the CRA: when maintainers are exempt
FOSS developed or supplied outside a commercial activity is excluded — the final CRA text protects hobbyist and community maintainers. The boundary is behavioural, not license-based: monetise the project's supply and you can cross into scope.
What this means for you specifically
- ▸Safe: accepting donations, being paid to contribute to a project you don't monetise, foundation-hosted community projects (these get a light 'steward' regime instead).
- ▸Risky: dual licensing, paid support/hosting tied to the software, 'open core' with commercial features, sponsorware — these look like commercial supply.
- ▸Companies that integrate your library into their products carry the obligations for their products — and will ask you for SBOM data, security contacts and fix SLAs. The ecosystem pressure arrives regardless of your legal status.
- ▸If you also sell a product built on your OSS, the product is in scope even though the library alone is not.
The pitfall that catches most teams
Assuming the exemption is permanent. The day you launch 'Pro' features or paid cloud hosting, your compliance clock starts — retrofitting SBOMs and disclosure processes later is far more painful than starting them free of pressure now.
The deadlines
2026-09-11
Reporting obligations start: actively exploited vulnerabilities and severe incidents must be reported within 24h/72h via the ENISA Single Reporting Platform.
2027-12-11
Full application: essential requirements, technical documentation, EU Declaration of Conformity and CE marking required to sell in the EU.
Where does your product actually stand?
The free Risk Check gives you a readiness score and a prioritized fix list in 3 minutes — tuned to your exact situation, including the edge cases this page can't cover.
Or get CRAdar to handle it continuously:
Other product types
Educational guidance on Regulation (EU) 2024/2847 — not legal advice.