The EU Cyber Resilience Act (CRA) introduces the Open-Source Software Steward (OSSS) role — a novel legal construct acknowledging entities that systematically support open-source development. While it promises lighter duties than full “manufacturers,” the OSSS label can create unexpected exposure for foundations, associations (e.V.s) and volunteer organizations.
This session focuses exclusively on non-commercial actors — not on businesses seeking OSSS qualification — and explores the pitfalls of leveraging the status:
• Benefits of OSSS recognition for NPOs: legitimacy, funding leverage, and security-governance credibility.
• Problems & Obligations: Article 24 CRA obligations (security policy, vulnerability handling, authority cooperation).
• Achieving / Avoiding OSSS classification.
• Liability effects: how far the penalty exception in Art. 64 para. 10 CRA could extend to civil liability.
• Tax status implications: narrative conflicts between “intended for commercial activities” and non-profit status (Gemeinnützigkeit); mitigation through legal operations and desirable tax legislation.
• Other legal angles: antitrust boundaries and GDPR responsibilities.
• “OSSS as a Service”: outsourcing as an option for every NPO? And what to keep in mind when signing and executing such an agreement?
• Case Studies:
◦ A German Fediverse gGmbH with no non-profit status and it’s U.S. 501(c)(3) counterpart
◦ A Belgian Private Foundation
◦ A German Association with non-profit status