Re: [open-regulatory-compliance] Open Source Steward: Role description

[Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>]

On 13 Jun 2024, at 09:31, Moser Sarah RDL DISDS3 <Sarah.Moser@xxxxxx> wrote:

To me the Steward role seems like an extension to existing compliance officer/OSPO roles with a focus on sec.

Sharing some hands on ideas, I plan to extend our OSPO roles with the interface description to the existing CySec org (VA teams, PSIRT, Governance structures).

Would like to collect feedback on this idea.

So while I have heard this from others as well - I think it is important to stress that the open source steward is an _extra_ economic actor defined in the CRA legislation with:

“open-source software steward means a legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products;

Art 3, paragraph 18a

So an OSPO would not easily fit this - unless it essentially becomes much like an open source foundation itself & starts to systematically provide support downstream, etc, etc. 

However you will then have to show that this is ‘intended for commercial actitivies’ & a range of other requirements that are not easily met if the downstream path stays within the organisation. So I do not think it is the intentional of the CRA to give OSPOs or compliance officers such as steward role. And I also guess that some of it is designed to exactly prevent some of this; as to prevent some commercial company to create an unfair advantage within its own realm (e.g. allow SMEs that host in a certain way to not have to comply with the CRA). Which is obviously the opposite of what is intended.

With kind regards,

Dw