Open-Source Stewards Under the CRA: NPO Pitfalls
Session Abstract
The CRA’s Open-Source Software Steward (OSSS) status offers legal recognition and hidden traps for non-profits and volunteer communities. This talk unpacks benefits, duties, liability, and tax effects, helping NPOs use the status safely and avoid accidental burdens.
Session Description
The EU Cyber Resilience Act (CRA) introduces the Open-Source Software Steward (OSSS) role — a novel legal construct acknowledging entities that systematically support open-source development. While it promises lighter duties than full “manufacturers,” the OSSS label can create unexpected exposure for foundations, associations (e.V.s) and volunteer organizations.
This session focuses exclusively on non-commercial actors — not on businesses seeking OSSS qualification — and explores the pitfalls of leveraging the status:
• Benefits of OSSS recognition for NPOs: legitimacy, funding leverage, and security-governance credibility.
• Problems & Obligations: Article 24 CRA obligations (security policy, vulnerability handling, authority cooperation).
• Achieving / Avoiding OSSS classification.
• Liability effects: how far the penalty exception in Art. 64 para. 10 CRA could extend to civil liability.
• Tax status implications: narrative conflicts between “intended for commercial activities” and non-profit status (Gemeinnützigkeit); mitigation through legal operations and desirable tax legislation.
• Other legal angles: antitrust boundaries and GDPR responsibilities.
• “OSSS as a Service”: outsourcing as an option for every NPO? And what to keep in mind when signing and executing such an agreement?
• Case Studies:
◦ A German Fediverse gGmbH with no non-profit status and it’s U.S. 501(c)(3) counterpart
◦ A Belgian Private Foundation
◦ A German Association with non-profit status
