Article 24 Obligations of open-source software stewards

Open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; shall put in place and document in a verifiable manner a cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; policy to foster the development of a secure product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; as well as an effective handling of vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software stewardmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; and promote the sharing of information concerning discovered vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; within the open-source community.

Open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; shall cooperate with the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, at their request, with a view to mitigating the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed by a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; qualifying as free and open-source softwaremeans software the source code of which is openly shared and which is made available under a free and open-source licence which provides for all rights to make it freely accessible, usable, modifiable and redistributable;.

Further to a reasoned request from a market surveillance authoritymeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020;, open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.

The obligations laid down in Article 14(1) shall apply to open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; to the extent that they are involved in the development of the products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;. The obligations laid down in Article 14(3) and (8) shall apply to open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; to the extent that severe incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; affect network and information systems provided by the open-source software stewardsmeans a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products; for the development of such products.