Add a new heading for the text on OSS Stewards

david-a-wheeler · david-a-wheeler · commit 81ddad11a5db · 2025-06-09T15:23:26.000-04:00
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/docs/CRA-Brief-Guide-for-OSS-Developers.md b/docs/CRA-Brief-Guide-for-OSS-Developers.md
@@ -36,6 +36,8 @@ If you’re putting a PDE on the market in the course of a commercial activity,
 
 Manufacturers may integrate OSS components into their product that is put on the market. The CRA ***does*** apply to manufacturers, because they are putting PDEs on the market with commercial intent. The manufacturer is responsible for all parts of the product, including components from third parties. The manufacturer must [perform “due diligence”](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to determine what components to use, and must also [report component vulnerabilities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_13) to the component maintainer and upstream fixes if they have any. Using an OSS component in a product makes the manufacturer responsible for its use. As a result, it’s expected that some OSS will be more thoroughly assessed, and it’s likely that there will be a preference for more secure OSS. Manufacturers may sometimes [change how they interact with non-commercial OSS](https://eviltux.com/2025/04/25/what-open-source-developers-need-to-know-about-the-eu-cyber-resilience-act-cra/) due to the CRA. So even developers not directly subject to the CRA should learn more about the CRA and work to create more secure software.  These manufacturer requirements may generate more interest in your software and your practices, which may spawn requests to the project for documentation, patches, or other artifacts such as a Software Bill of Materials (SBOM).
 
+### Some organizations are OSS Stewards
+
 Organizations that [systematically provide sustained support for developing OSS intended for commercial activities](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_3), but don’t fill another role like “manufacturer”, may be considered “Open Source Software Stewards” under the CRA. It's known that an organization can be a steward for one program and also a manufacturer for a different program ([Benjamin Bögel, FOSDEM 2024, time 18:10](https://fosdem.org/2024/schedule/event/fosdem-2024-3683-the-regulators-are-coming-one-year-on/)). Stewards have fewer obligations than manufacturers, but they have a few [obligations](https://eur-lex.europa.eu/eli/reg/2024/2847/oj#art_24) such as providing a coordinated vulnerability disclosure (CVD) policy, cooperating with market surveillance at their request, providing certain kinds of documentation, reporting known actively exploited vulnerabilities, notifying about severe incidents, informing impacted users, and providing mitigation. There is no requirement for an OSS project to have a steward. However, an OSS project may *choose* to be supported by a steward (who must then meet its obligations).
 
 ### CE marking compliance with the EU product legislation
