Art. 3(14)An open-source software steward is any legal person who provides systematic support for the development of a free and open-source software product, the intended use of which can reasonably be expected to be commercial.
Open-source software stewards must put in place and document a cybersecurity policy that fosters the development of a secure product and enables effective handling of vulnerabilities in the open-source software components they support.
Open-source software stewards must notify the relevant CSIRT (computer security incident response team) designated as coordinator without undue delay of any actively exploited vulnerability contained in their open-source software components, as well as any severe incident affecting the security of those components.
Open-source software stewards must cooperate with market surveillance authorities upon request and provide all information required for the performance of their regulatory tasks.
Upon request from market surveillance authorities, open-source software stewards must draw up and keep up-to-date technical documentation for the open-source software components they administer, sufficient to allow assessment of cybersecurity compliance.