The recently finalized EU "Cyber Resilience Act" (CRA), set for approval in early 2024, introduces stringent security certifications and reporting mandates for manufacturers and importers of “products with digital elements” (PDEs). Notably, the legislation encompasses open source “developers” and “output,” potentially holding volunteers legally liable for security flaws in codebases used across various software products.

This move marks a paradigm shift, as even contributors to open source projects may now face fines up to €15 million or 2.5% of global turnover for security defects. The implications for the open source community are profound, demanding a closer look at legal protections and potential repercussions.