The EU Cyber Resilience Act (Regulation 2024/2847) creates unfunded compliance mandates for open source foundations acting as 'stewards' by December 2027

The EU Cyber Resilience Act, published December 10, 2024, introduces the novel legal category of 'open source software steward' -- foundations and organizations that systematically support open source projects used in commercial products. These stewards must implement documented cybersecurity policies, report actively exploited vulnerabilities to EU authorities (ENISA), and facilitate information sharing, with some requirements taking effect September 11, 2026 and full applicability by December 11, 2027. Why it matters: open source foundations like the Apache Software Foundation, Eclipse Foundation, and Linux Foundation must build compliance infrastructure for hundreds of projects, so foundations already operating on thin margins must hire legal and security staff or risk non-compliance, so smaller open source organizations without EU legal expertise may simply stop distributing software in Europe, so commercial manufacturers using open source must treat every open source component like first-party code for vulnerability handling, so the compliance burden falls disproportionately on the least-resourced participants in the software supply chain. The structural root cause is that the CRA was designed primarily for commercial software vendors and IoT manufacturers, and while the final text exempts non-commercial open source development from the heaviest requirements, the 'steward' category creates a gray zone where nonprofit foundations face regulatory obligations without corresponding revenue streams or government funding to meet them.