2026-07-02 - 14:13
FAQ

Are there conflicts between CRA requirements and Open Source license obligations, e.g., between integrity requirements  and obligations under the GPL to provide installation information?

Gibt es Konflikte zwischen den Anforderungen des CRA und den Pflichten aus FOSS-Lizenzen, beispielsweise zwischen Integritätsanforderungen und der Pflicht der GPL, Installationsinformationen bereitzustellen?

Answer:

Appendix 1, Part 1, Paragraph 2f, reads as follows:

On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:

(f) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, and report on corruptions;

Unlike the Radio Equipment Directive (RED), the CRA does not require that users be technically prevented from loading non-compliant software onto a hardware product. Para 2 (f) allows the user to authorize the modification of the software. Accordingly, the manufacturer may provide the necessary Installation Information to the user. However, this may require the installation information to be personalised to prevent third parties from exploiting it against the user's wishes.

Keywords

CRA; FOSS; Installation instruction; Installation permission; Integrity requirement; License obligation; Open Source software

Most recent content update of this FAQ: September 2025

Next FAQ: Who is responsible for the obligations arising from the CRA?