Hi community !
We’ve recently had a few discussions about the deprecation of software libraries in Automation Studio 6.
This is usually very inconvenient for users. But B&R certainly has good reasons for doing so, especially when the libraries are very, very old.
Recently, a new reason has emerged with the Cyber Resilience Act ( The Cyber Resilience Act - Summary of the legislative text | Shaping Europe’s digital future )
Let’s illustrate this using the example of the deprecation of ‘LoopCont’ which we have discussed in detail here.
Some users were hoping for an open-source release so that B&R would no longer have to worry about CRA.
From my perspective, a publication doesn’t change anything. However, I should add that I have no legal expertise and am not a CRA expert.
But what else is all this AI stuff good for? So let’ hear what are it’s findings.
I hope this will help you better understand B&R’s situation, just as we fully understand why this is very, very unpleasant for you.
(and secretly, I too hope that we could just ignore all of this and that B&R would simply release the source code).
# CRA Compliance for Software Libraries in Machinery
## 1. Must CRA Compliance be Considered for this Library?
**YES, it likely must be considered.**
Your library falls under CRA scope because:
- It contains process control components with digital elements
- It's placed on the market as part of a commercial package generating revenue
- **The key scope test**: The CRA applies to "products with digital elements made available on the market, whose intended purpose or reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network"
Even though your library lacks network communication components, process control software is explicitly mentioned in CRA critical categories. For example, SCADA systems and industrial process controllers fall under Annex III Class II. Your library would be classified as a **Default Product** (lower risk) requiring self-assessment, since it's a component without network communication.
### References
- [Cyber Resilience Act - EC Digital Strategy](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)
- [CRA Summary - EC Digital Strategy](https://digital-strategy.ec.europa.eu/en/policies/cra-summary)
- [CRA Guide for Software Developers](https://www.cyberresilienceact.eu/cra-guide-for-software-developers/)
- [CRA Compliance Checklist for Process Control & SCADA Systems](https://cvdportal.com/compliance/process-control)
- [FAQs on the Cyber Resilience Act](https://www.ibf-solutions.com/fileadmin/Dateidownloads/faqs-on-the-cra-implementation.pdf)
---
## 2. Could CRA Compliance be Ignored if Released as Open Source?
**NO, not automatically.**
The exemption is **not based on the open-source license itself**, but on whether commercial activity is involved:
- **Exempt if**: Genuinely non-commercial, no profit generation, no business entity involved
- **In scope if**: Any commercial activity connected to development/supply (e.g., part of a package generating revenue)
Since your library is currently part of a revenue-generating package, releasing it as open source **does not automatically exempt it** unless all commercial connection is severed.
### Key Points
According to CRA regulations:
- The licensing model (GPL, MIT, Apache, etc.) does not trigger exemption
- What matters is whether commercial activity is involved in the supply chain
- Free and open-source software (FOSS) is exempt only if developed/supplied outside of commercial activity
- Individual developers accepting donations are often exempt, but entities/companies with commercial ties remain in scope
### References
- [The Cyber Resilience Act and Open Source - Linux Foundation](https://www.lpi.org/blog/2025/09/09/the-cyber-resilience-act-and-open-source/)
- [Open Source Software Obligations - BCL Law](https://www.bclplaw.com/en-US/events-insights-news/the-cyber-resilience-acts-obligations-for-open-source-software.html)
- [When Free WordPress Plugins Are Still In Scope - CRA Guard](https://getcraguard.com/blog/cra-open-source-exemption)
---
## 3. Is it Relevant WHERE the Library is Published?
**YES, it is relevant, but with important nuances.**
### Geographic Scope
- The CRA applies if **EU users can access the software**, regardless of where it's hosted or developed
- Publishing location (GitHub, GitLab, your own server) does not matter if EU accessibility exists
- The regulation targets all software "placed on the market" to EU users
### Key Point
If you publish open-source code publicly (anywhere), EU users will access it. If any commercial activity is connected to the library (your current situation), CRA compliance obligations apply regardless of publication platform.
### References
- [Understanding the Cyber Resilience Act - Linux Foundation](https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act)
- [CRA Compliance Guide for WordPress Developers - Patchstack](https://patchstack.com/whitepaper/cyber-resilience-act-checklist/)
- [CRA Summary - EC Digital Strategy](https://digital-strategy.ec.europa.eu/en/policies/cra-summary)
---
## Summary
For your commercial library with process control components:
> **CRA compliance must be considered now and would remain required if open-sourced while maintaining any commercial connection.** Publishing location is irrelevant if EU users can access the code.
### Timeline
- **September 11, 2026**: Reporting obligations start applying
- **December 11, 2027**: Full CRA compliance mandatory
### Next Steps
If your library falls under CRA scope, you will need to:
1. Perform a cybersecurity risk assessment
2. Ensure essential cybersecurity requirements are met
3. Prepare technical documentation including:
- Software Bill of Materials (SBOM)
- EU Declaration of Conformity
- Risk assessment documentation
4. For non-critical products: Self-certification with CE marking
5. Implement vulnerability reporting procedures
6. Maintain support period documentation
### References
- [CRA Summary - EC Digital Strategy](https://digital-strategy.ec.europa.eu/en/policies/cra-summary)
- [The Cyber Resilience Act - Shaping Europe's Digital Future](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)
