Donating an open source project to a foundation like the CNCF restructures your EU Cyber Resilience Act (CRA) risk but doesn't eliminate it. The legal surface area around direct ownership shrinks and governance overhead shifts to the foundation, but obligations around supply chain visibility, vulnerability response, and SBOM documentation remain with any company shipping the code commercially. What gets harder includes losing control over security response timelines, roadmap alignment, and the gap between a one-time legal donation versus ongoing active contribution. Using foundation donation purely as a compliance maneuver — without genuine governance transfer and continued engineering involvement — is unlikely to withstand regulatory scrutiny. The Kubernetes/CNCF transition is cited as the gold standard for what genuine transfer looks like.
Table of contents
What the CRA actually says firstWhat gets betterWhat stays the sameWhat gets harderThe version that doesn't workWhat good looks likeSort: