icon-grid
Better Regulation logo
Table of Contents

Table of Contents

Expand all headings Collapse all headings Expand side bar Collapse side bar
Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance)RecitalsChapter I General ProvisionsArticle 1 Subject matterArticle 2 ScopeArticle 3 DefinitionsArticle 4 Free movementArticle 5 Procurement or use of products with digital elementsArticle 6 Requirements for products with digital elementsArticle 7 Important products with digital elementsArticle 8 Critical products with digital elementsArticle 9 Stakeholder consultationArticle 10 Enhancing skills in a cyber resilient digital environmentArticle 11 General product safetyArticle 12 High-risk AI systemsChapter II Obligations of economic operators and provisions in relation to free and open-source softwareArticle 13 Obligations of manufacturersArticle 14 Reporting obligations of manufacturersArticle 15 Voluntary reportingArticle 16 Establishment of a single reporting platformArticle 17 Other provisions related to reportingArticle 18 Authorised representativesArticle 19 Obligations of importersArticle 20 Obligations of distributorsArticle 21 Cases in which obligations of manufacturers apply to importers and distributorsArticle 22 Other cases in which obligations of manufacturers applyArticle 23 Identification of economic operatorsArticle 24 Obligations of open-source software stewardsArticle 25 Security attestation of free and open-source softwareArticle 26 GuidanceChapter III Conformity of the product with digital elementsArticle 27 Presumption of conformityArticle 28 EU declaration of conformityArticle 29 General principles of the CE markingArticle 30 Rules and conditions for affixing the CE markingArticle 31 Technical documentationArticle 32 Conformity assessment procedures for products with digital elementsArticle 33 Support measures for microenterprises and small and medium-sized enterprises, including start-upsArticle 34 Mutual recognition agreementsChapter IV Notification of conformity assessment bodiesArticle 35 NotificationArticle 36 Notifying authoritiesArticle 37 Requirements relating to notifying authoritiesArticle 38 Information obligation on notifying authoritiesArticle 39 Requirements relating to notified bodiesArticle 40 Presumption of conformity of notified bodiesArticle 41 Subsidiaries of and subcontracting by notified bodiesArticle 42 Application for notificationArticle 43 Notification procedureArticle 44 Identification numbers and lists of notified bodiesArticle 45 Changes to notificationsArticle 46 Challenge of the competence of notified bodiesArticle 47 Operational obligations of notified bodiesArticle 48 Appeal against decisions of notified bodiesArticle 49 Information obligation on notified bodiesArticle 50 Exchange of experienceArticle 51 Coordination of notified bodiesChapter V Market surveillance and enforcementArticle 52 Market surveillance and control of products with digital elements in the Union marketArticle 53 Access to data and documentationArticle 54 Procedure at national level concerning products with digital elements presenting a significant cybersecurity riskArticle 55 Union safeguard procedureArticle 56 Procedure at Union level concerning products with digital elements presenting a significant cybersecurity riskArticle 57 Compliant products with digital elements which present a significant cybersecurity riskArticle 58 Formal non-complianceArticle 59 Joint activities of market surveillance authoritiesArticle 60 SweepsChapter VI Delegated powers and committee procedureArticle 61 Exercise of the delegationArticle 62 Committee procedureChapter VII Confidentiality and penaltiesArticle 63 ConfidentialityArticle 64 PenaltiesArticle 65 Representative actionsChapter VIII Transitional and final provisionsArticle 66 Amendment to Regulation (EU) 2019/1020Article 67 Amendment to Directive (EU) 2020/1828Article 68 Amendment to Regulation (EU) No 168/2013Article 69 Transitional provisionsArticle 70 Evaluation and reviewArticle 71 Entry into force and applicationAnnex I Essential cybersecurity requirementsAnnex II Information and instructions to the userAnnex III Important products with digital elementsAnnex IV Critical products with digital elementsAnnex V EU Declaration of conformityAnnex VI Simplified EU declaration of conformityAnnex VII Content of the technical documentationAnnex VIII Conformity assessment proceduresDone at
Document Overview
Tools
Set a date to view the document
Text comparison options
Full text - Date 1 vs Date 2
Amendments requiring commencement - Current text vs Text requiring commencement
Draft proposed changes - Current text vs Text proposed by drafting documents
Coming soon: Any documents - Any document vs Another document at any date
Print / Export options
Current page
Whole document
Selected pages
Consolidated PDF of the entire document as of 23rd December 2024
Export
Export line by line
Export provision to provision
Report template
Create report template
Alert me to changes
Manage alerts
Bookmarks
This page
This document
Manage bookmarks
Search within this document
View previous searches
Share
Get page link
Share via email application
PreviousNext
Version status: Published | Document consolidation status: No known changes
Version date: 20 November 2024 - onwards

Article 24 Obligations of open-source software stewards

1. Open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product. That policy shall also foster the voluntary reporting of vulnerabilities as laid down in Article 15 by the developers of that product and take into account the specific nature of the open-source software steward and the legal and organisational arrangements to which it is subject. That policy shall, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.

2. Open-source software stewards shall cooperate with the market surveillance authorities, at their request, with a view to mitigating thecybersecurity risks posed by aproduct with digital elements qualifying as free and open-source software.

Further to a reasoned request from a market surveillance authority, open-source software stewards shall provide that authority, in a language which can be easily understood by that authority, with the documentation referred to in paragraph 1, in paper or electronic form.

PreviousNext