Step 4: Cooperate upon Request

Upon request from EU authorities, cooperate in mitigating security risks.

Article 24(2) of the CRA requires open-source software stewards to comply with EU “market surveillance authorities” upon request, to mitigate cybersecurity risks for open source software.

The term “market surveillance authorities” refers to the regulators appointed by each EU member state to oversee compliance of products in the EU market, and to ensure protection of the public interest. (See Article 3(3) and 3(4) of Regulation (EU) 2019/1020 for applicable definitions.)

The project’s security policy should include points of contact for receiving requests from these regulators.

These points of contact should include multiple people from at least two separate and unaffiliated companies or individuals. A group email address may be preferred, so that no single individual is solely responsible for receiving inquiries.