Thanks for the discussion Dirk-Willem, Steffen, Marta, Florian and Christian.
I am bringing forward this actual use case to try to sharpen our discussion and understanding because it seems like an edge case but not uncommon.
Drupal is a loose open source ecosystem with probably a few billion in annual turnover used by about 1 percent of internet websites .
I'm trying to tease out the difference between the primary function of an open source project (e.g. Drupal as a CMS, which is not covered by
https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_3.html), the primary function of an extension to the product (e.g. a Drupal module supporting OAuth for identity access management, which is covered by Annex 3 but is normally not the primary function of a Drupal install), and the primary function of the product in a particular sale (of Drupal with OAuth module as an identity access management system). I suspect that the firm selling the open source solution would have legal liabilities to ensure that it is securely developed, but I am unclear after that.
So I'm still trying to figure out which entities would meet which legal definitions in the sale of an individual Drupal CMS with a primary purpose of serving as an identity management system for access control to a political party or government department based on generic modules. I'm assuming that a consulting company making the sale and making the site from open source components would be the manufacturer: they are taking money, so they are putting the software on the market.
I'm unclear on whether individuals contributing to the relevant software modules will be protected or liable in some way.
In the Drupal ecosystem, there is a Drupal Association that as I understand it may be a candidate for Open Source Steward. I do not understand whether the maintainers of the 50,000+ contributed modules who tend to be a collection of a small number of individuals sometimes getting sponsorships will qualify as collections of Stewards, e.g.
https://www.drupal.org/project/simple_oauth or
https://www.drupal.org/project/auth0 . I doubt it. They rarely get money for sites that include their module, so I'm not sure if they are manufacturers in our example of a sale by the consulting company.
I hope this is helpful.
Joe Murray, PhD (he/him)
President, JMA Consulting
416.466.1281
We respectfully acknowledge the autonomy of Indigenous peoples, and that JMA Consulting is located on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples which is now home to many diverse First Nations, Inuit and Métis peoples. We also acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit.
