Github raised this potential problem about the Cyber Resilience Act of the EU:

Problem 2: The CRA regulates open source projects with corporate developers

Open source projects are often multi-stakeholder: they receive contributions from developers building as individuals, volunteering in foundations, and working for companies, large and small. The current text (Recitals 10 and 10a) would regulate open source projects unless they have “a fully decentralised development model.” Any project where a corporate employee has commit rights would need to comply with CRA obligations. This turns the win-wins of open source on its head. Projects may ban maintainers or even contributors from companies, and companies may ban their employees from contributing to open source at all. The result will be a less innovative and less secure software ecosystem.

Resolves YES if a company retracts an OSS project they published and blames the CRA for that.

Resolves NO if the CRA is abandoned or if no such announcement is posted in the comments.

Closes one year after the CRA regulation becomes active (which seems to be two years after the EU formally adopts). Close date will be adapted accordingly.