Questions about CRA regulation(Cyber Resillience Act)

Cfan

There are some points which I haven't understood clearly about CRA regulation.

I don't work for a company.I am into programming as a hobby but I sometimes want to create a usable Android or Windows app and sell it online.I am a 1 person developer.If I create an LGPL licensed app and sell it in EU(online sell), does CRA regulation apply to my situation too?If my app does not use networking or internet, does it change something?

danish777

Hey @Cfan,

Great question — the CRA (Cyber Resilience Act) is still a bit complex, especially for solo developers and hobbyists.

From what’s been shared so far, the CRA mainly applies to digital products with internet connectivity or those that handle user data in ways that could pose security risks. If your app doesn’t use any networking features and isn’t connected to the internet, it might not fall under the most stringent CRA requirements.

However, if you're selling the app in the EU, even as a solo developer, some basic compliance could still apply — especially regarding secure development practices and documentation. Licensing like LGPL is more about the code sharing terms and doesn’t exempt you from CRA if the product falls under it.

You may not be a major target, but it’s a good idea to keep an eye on updates and consult simplified guides or experts when your app starts gaining users or revenue.

Hope that helps!

SimonSchroeder

I have skimmed the CRA (in my native language, so I might wrongly translate some of the words). Every software distributed in the EU has to follow this. However, small enterprises can have simplified technical documentation and can apply for financial support. Every country still has to specify what "simplified" means. You certainly need a SBOM (a list of libraries you are using). There is something about encryption and integrity of data, as well as integrity of the software itself. I am not sure in how far this applies to general file formats (is every file "data"?). It becomes mandatory to report CVEs starting from next year. You are exempt from everything else if you publish your software before 11.12.2027 and it stays that way until you have "significant changes" (I read this as major updates, or maybe even a bump in the minor version because of some new functionality). Not using internet certainly exempts you from "important devices". It is hard to tell from a quick read, but I believe that "important devices" in addition need to provide a quality assurance process.

In the end this is all based on self-reporting and I hope this is made sufficiently easy for smaller enterprises.

Pl45m4

@SimonSchroeder

I've read it out of curiosity now.
But this doesn't influence how you can publish your Open-Source projects (with and without internet access) on something like GitHub, right?
This only effects commercial software or really everything that is being published by "someone" within the EU?!

SimonSchroeder

@Pl45m4 My understand is that this applies to anyone distributing software in the EU. It doesn't matter if you/your company is from the EU, but only if some of your clients/users are from the EU. The source code itself is not a product, yet. This means you can publish source code on GitHub without following the CRA. I assume that if you also provide compiled binaries on GitHub you'll fall under the open-source rules of the CRA. Honestly, I have skipped the articles about open source, but I have seen that there are certain rules to be followed for maintainers of open source projects. I guess we could start a discussion if GitHub itself is the distributor of the compiled binaries inside the EU and has to conform to the rules of the CRA. On the other hand, they might just claim that they provide a service and each individual publisher of binaries is responsible for the CRA. I would expect GitHub to either change their terms accordingly or maybe provide an option not to publish the binaries inside the EU.

Cfan

Thanks for your answers.

SimonSchroeder

Qt has started a new page specifically about the CRA: https://www.qt.io/cyber-resilience-act

Pl45m4

@SimonSchroeder

So in your linked article Qt claims that it only affects people/companies who SELL their software. The responsibility comes as soon as you receive money for your "product". For free/open source software, the developer doesn't/you don't have this kind of responsibility, as far as I understand.

Kent-Dorfman

@Pl45m4 said in Questions about CRA regulation(Cyber Resillience Act):

@SimonSchroeder

So in your linked article Qt claims that it only affects people/companies who SELL their software. The responsibility comes as soon as you receive money for your "product". For free/open source software the developer you don't have this kind of responsibility, as far as I understand.

Thats what I thought too, but then I heard/read that free vs paid depends on your "intended use"...which struck me as somewhat unenforceable since I can say it's FOSS while I'm developing and then buy a single user seat right before I go to market, but the heavy dev work is done by then.

I'm not sure about the current licensing but Qt could generate some good will among professionals by making sure of two things:

1. licence is in perpetuity for a particular version of the framework (no subscription to contiue using) type licenses
2. present fixed price licensing fees. None of this crap where companies want to set fees based on perceived revenue generated by the target product.

Sorry if my thoughts deviate from the point of the conversation a bit.

SimonSchroeder

I dove a little deeper into the CRA concerning open source software. It is slightly confusing. There is an official German overview page (https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Cyber_Resilience_Act/cyber_resilience_act_node.html) that states:

Non-commercial open source software products are exempt from the CRA and therefore do not have to fulfill the requirements of the CRA.

There are specific articles about "stewards of open source software". The official document starts with a long list describing the intent. The steward is not necessarily the maintainer of open source software but a foundation that sponsors/supports the open source software. In the case that you develop open source software most likely you are the steward. Open source software is exempt from most of the regulation. They can only be fined for violations of articles 13 and 14. This mostly pertains to having a documented system in place to report security vulnerabilities.

The key thing that gets interpreted as "non-commercial" seems to be the phrase "when placing a product with digital elements on the market". In the beginning of the document where the intent is explained the phrase "place on the market" means to "distribute in the course of a commercial activity". This means "charging a price" or "charging for technical support" or "monetization". The latter two seem to be only commercial activities if they are there to make a profit and not just to cover actual costs. Donations are explicitly allowed. One slight problem I see with this is that this is only the intent of the law, but not actual law of the CRA. Still, I would believe (IANAL) that a good lawyer can still point to the intent of the law if you'd actually be sued for not following the CRA.

There are also articles for the market surveillance authorities to follow. And they are supposed to contact stewards of open source software if they think they fall under the CRA. I wouldn't say that makes you exempt from penalties if you violate the CRA as a steward of open source software, but I would hope that they first help you to conform to the CRA before fining you.

It is hard to predict how the CRA will be implemented. But, open source software and SMEs should have some special rights and be treated more leniently in the beginning.

SimonSchroeder

With everything I've read, I'll try to respond to your questions more explicitly.

@Cfan said in Questions about CRA regulation(Cyber Resillience Act):

If I create an LGPL licensed app and sell it in EU(online sell), does CRA regulation apply to my situation too?

The only excemption from the CRA is non-commercial open source software. So, if you want to sell in the EU, your software will fall under the CRA. I am not sure what you mean with an "app under the LPGL". Is all your own code open source as well? Then you "only" need to follow articles 13 and 14. If your own source code is not open somebody has to follow more rules. If you are located inside the EU it'll be you yourself. If you are located outside the EU it will get more complicated. I am not sure what roles are distributed to "manufacturer", "importer", and "distributor". It might be that the app store might have to fulfill some of the duties instead of you yourself.

@Cfan said in Questions about CRA regulation(Cyber Resillience Act):

If my app does not use networking or internet, does it change something?

Yes. There is the category of "important products with digital elements". What makes a product "important" are things like internet connectivity. "Important products" have to fulfill additional obligations. Without any additional knowledge about your actual app I would guess that it is not an "important product". You'll find a list of important products in Annex III.