Update docs/CRA-Brief-Guide-for-OSS-Developers.md

david-a-wheeler · gkunz · web-flow · commit 39614de34a75 · 2025-06-03T16:47:27.000-04:00
Co-authored-by: Georg Kunz &lt;georg.kunz@ericsson.com&gt;
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/CRA-Brief-Guide-for-OSS-Developers.md b/docs/CRA-Brief-Guide-for-OSS-Developers.md
@@ -13,7 +13,7 @@ The [European Union (EU) Cyber Resilience Act (CRA)](https://eur-lex.europa.eu/e
 You may have heard things about the CRA (especially its early drafts) that made you worried. The published law is what matters, and for typical individual OSS contributors, there’s no need to panic:
 
 1. *The CRA [does not apply to any contributors to someone else’s OSS project](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#rct_18)*.
-2. *The CRA does not apply to web sites or web services unless they are [part of the remote data processing of a product put on the market](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3).
+2. *The CRA does not apply to web sites or web services unless they are [part of the remote data processing of a product put on the market](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3)*.
 3. *The CRA only applies to software if it’s “[supplied for distribution or use in the course of a commercial activity](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#rct_15)”*. If the OSS isn’t part of a commercial activity as defined by the CRA, then the CRA does not apply.
 
 Many typical activities of OSS projects [aren’t considered a commercial activity under the CRA](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#rct_18). Examples of such typical activities are: receiving financial support from manufacturers (without a profit), manufacturers contributing to its development, performing regular releases, being hosted on an open repository, accepting donations without the intention of making a profit, and being supported by a not-for-profit organization. We strongly encourage all OSS projects to [develop secure software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software), and the CRA can be a useful guide even when CRA compliance is not required. Yet complying with the CRA isn’t required by activities like these.
