Mirko SwillusMar 6

This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.

Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.

#opensource #cra

Show threadadvokattMar 6
@mechko nice chart. some boxes are not always easy to answer, though. product with digital elements? placed on the market? part of commercial activity? uh-oh
Show threadMirko SwillusMar 6

@km Yeah, I feel you.

Not a legal advice, but 'product with digital elements' just comes down to "everything with software in it and a connection to the outer world, and is somewhat 'shipped' - i.e. pure SaaS is not in scope"

'placed on the market' and 'commercial activity': The examples are worth having a look to get a feel, this is example 21 on page 18 for instance:

Show threadmike morris
@mechko @km
I'm confused by the box asking about "commercial activity"... what would one answer for dual-licenced software/library? (i.e. One with an OS licence for OS use, with an option for a commercial licence for commercial use.)
Mar 6 at 11:31amWeb
Show threadMirko SwillusMar 6
@mikro2nd @km No legal advice, but I'd say the license is not important, it's rather the question if there is a legal person which "sells" the software on the European single market.
Show threadcubeosMar 16
@mikro2nd @mechko @km No legal advice, but one non-profit I know with dual license decided to move everything to a single standard OSS license to make sure they are considered a steward and not a manufacturer under the CRA.
Show threadMirko Swillus6d ago

@cubeos @mikro2nd @km Mhm ja, I‘d rather look twice prior to creating a lot of effort and distraction for everyone involved. The license itself isn‘t the differentiator here.

(again, no legal advice either 😅)