What obligations must be met when FOSS components are integrated into a product that falls within the scope of the CRA? For example, what obligations do machine manufacturers have when using Linux and other FOSS in a device?
Answer:
The CRA establishes various obligations primarily for products placed on the market rather than the components they contain. With regard to FOSS components, this means:
a) Cybersecurity requirements according to Annex I
Under Article 13(5) of the CRA, manufacturers must not only ensure compliance with cybersecurity requirements for their own products, but also “exercise due diligence when integrating components sourced from third parties so that those components do not compromise the cybersecurity of the product with digital elements.” This explicitly applies to integrated FOSS components as well. Accordingly, it is not necessary to generally assess the cybersecurity of the FOSS components used; rather, manufacturers must specifically assess the impact on their own products. However, indirectly, this leads to a preliminary assessment of the security of the FOSS used if security vulnerabilities in individual components could also affect the entire product.
To facilitate security assessments for manufacturers of products that use FOSS, Article 25 of the CRA provides for the possibility of ‘security attestation’. This requires a delegated legal act by the Commission pursuant to Article 61 of the CRA. As of June 2026, this act has not yet been adopted, though it is planned.
b) Assessment of cybersecurity risks
The assessment of cybersecurity risks according to Article 13(2) CRA does not require an assessment of each FOSS component. However, it may indirectly result in the need to assess risks arising from individual FOSS components that could affect the entire product.
c) Preparation of technical documentation
The technical documentation pursuant to Article 31 CRA must contain “all relevant data or details of the means used by the manufacturer to ensure that the product with digital elements and the processes put in place by the manufacturer comply with the essential cybersecurity requirements set out in Annex I.” According to Art. 13(7) CRA, this also includes vulnerabilities of which the manufacturer becomes aware. This also applies to vulnerabilities in included FOSS components and the assessment of their impact. Against this background, it appears necessary to include all third-party components in the documentation and, where necessary, to supplement it with information on the individual components. This is also supported by the reference in Annex VII, 2b) of the CRA, which refers to the SBOM.
d) Strategy for coordinated vulnerability disclosure
If manufacturers become aware of vulnerabilities in their own product, Art. 13(8) CRA stipulates that they shall “process and remediate potential vulnerabilities” following a predefined process. This may also apply to vulnerabilities in FOSS components. In such cases, it will depend on whether the relevant project itself provides a patch for the vulnerability or whether this task must be undertaken by the manufacturer.
e) Conformity assessment procedure
The conformity assessment procedure also includes the technical documentation containing the SBOM, meaning that the FOSS components used must also be taken into account in this regard. However, the assessment must be conducted solely with respect to the manufacturer’s own product; a security attestation of FOSS components in accordance with Article 25 CRA may simplify this process.
f) SBOM
The SBOM must list all FOSS components and their respective versions.
g) Reporting obligations
As soon as the manufacturer identifies a vulnerability in a component integrated into the product with digital elements, including a FOSS component, they shall report the vulnerability to the person or entity that manufactures or maintains that component, and shall address and resolve the vulnerability in accordance with the requirements for vulnerability management set out in Annex I, Part II.
Accordingly, there is also an obligation to report vulnerabilities in FOSS components. Based on the wording, this also applies to vulnerabilities that are already known. However, it seems illogical that vulnerabilities would have to be reported repeatedly. It remains to be seen how the Commission will interpret this provision. Vulnerabilities in FOSS components that have been actively exploited in one’s own product, as well as severe security incidents, must be notified to both the CSIRT and ENISA via the unified reporting platform (see also section 5.4 of the Commission’s FAQ).
Keywords
Assessment of conformity; CRA; Cybersecurity; FOSS; FOSS integration; Obligation; Open Source software; Reporting obligation; SBOM; Technical documentation; Vulnerability
Most recent content update of this FAQ: June 2026




