The first proposal (from the EU Commission) of the CRA was badly written when it comes to Open Source. The modified version being proposed for legislation has been much improved and is more clear that the vendor that integrates and place products including Open Source on the market is liable for the functionality of the product – and responsible to keep it secure and up to date.
The document defines a new role for Open Source – an Open Source steward. This role will mainly be taken by the larger foundations that manage Open Source projects, but will also apply to smaller projects.