Are there conflicts between CRA requirements and Open Source license obligations, e.g., between integrity requirements and obligations under the GPL to provide installation information?
Answer:
Appendix 1, Part 1, Paragraph 2f, reads as follows:
“On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:
…
(f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;
Unlike the Radio Equipment Directive (RED), the CRA does not require that users be technically prevented from loading non-compliant software onto a hardware product. Para 2 (f) allows the user to authorize the modification of the software. Accordingly, the manufacturer may provide the necessary Installation Information to the user. However, this may require the installation information to be personalised to prevent third parties from exploiting it against the user's wishes.
Keywords
CRA; FOSS; Installation instruction; Installation permission; Integrity requirement; License obligation; Open Source software
Most recent content update of this FAQ: September 2025
Next FAQ: Who is responsible for the obligations arising from the CRA?




