When using open-source software (OSS) in the field of critical infrastructures, legal requirements must be taken into consideration both under copyright law with respect to OSS software licenses and European and German statutory cybersecurity laws. With the new European legal obligations under NIS 2, DORA, and CRA, the management of OSS in certain areas becomes a legal obligation for companies.
Open-Source Software and Critical Infrastructures
According to the KRITIS definition issued by the German federal ministries, the term “critical infrastructures” has the following meaning: “Critical infrastructures (abbreviated: KRITIS) refers to organizations or facilities of vital importance to the state, the failure or disruption of which would result in long-lasting supply shortages, significant disruptions to public safety, or other dramatic consequences.” The German Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz) classifies facilities, among others, in the sectors of energy supply, information technology and telecommunications, transportation and traffic, health, water, food, municipal waste disposal, finance, and insurance as critical infrastructures. In the critical infrastructure sector business processes rely heavily on software similar to any other parts of the economy. OSS is now an essential component of software architecture across all sectors, making it relevant to the critical infrastructure sector as well.
Copyright Classification and Legal Risks
Software Licenses
OSS is subject to licensing requirements that must be observed when using OSS. Generally, OSS can be divided into permissive licenses (e.g., MIT, BSD, Apache 2.0) and copyleft licenses (e.g., LGPL, GPL) (see the detailed article: Strategic management of open source software - Legal framework and compliance requirements in business practice). Permissive licenses are characterized by a high degree of flexibility. The main obligation under these licenses is generally to retain the original copyright notices and make them accessible to the end user. Copyleft licenses, among other, impose obligations regarding the modification and linking of OSS. Modifications to OSS must also be licensed as OSS. If OSS is modified or linked to a proprietary software, this may result in the entire software package falling under the copyleft license, thereby requiring the source code to be disclosed to third parties (the so-called copyleft effect).
Legal Risks of License Violations
Violations of OSS licensing requirements carry the risk that the software may no longer be used to the same extent as before. Consequently, there is a risk of injunctive relief claims to stop using the software if the OSS is used in a manner that does not comply with the OSS license terms. This risk is particularly significant in the critical infrastructure sector due to the critical importance of the availability of the respective critical infrastructure facility.
Further, significant risks may arise in the event of a disclosure obligation regarding the source code of software if this provides insight into potential security gaps or vulnerabilities. Such a disclosure obligation may also conflict with confidentiality obligations regarding the protection of IT security in sensitive areas of critical infrastructures.
Cybersecurity Requirements under Statutory Law
New EU regulations on IT security – NIS 2, DORA, and CRA – also affect the use of OSS within the respective scope of these frameworks. It is important to note that, in addition to the laws listed below, other sector-specific regulations may also apply.
NIS 2 Directive
The European NIS 2 Directive entered into force in January 2023. At the national level, this directive was implemented in Germany in December 2025 through an amendment to the Act on the Federal Office for Information Security and on Information Security in Institutions (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik), BSI Act. NIS 2 establishes a legal framework for maintaining IT security in certain critical sectors. Under the amended BSI Act, once the scope of application is extended, entities in the respective sectors are required to implement appropriate technical and organizational risk management measures to prevent disruptions to their information technology systems. Additionally, there is a registration requirement and an obligation to report security incidents.
The obligation to implement appropriate technical and organizational risk management measures includes, among other things, measures for supply chain security and security measures during the procurement, development, and maintenance of information technology systems, including the management and disclosure of vulnerabilities. To the extent that OSS is used in the critical infrastructure sector, there may be a risk of violating the relevant legal requirements without appropriate OSS compliance management that includes tracking and ongoing monitoring of the OSS used within the company.
Digital Operational Resilience Act (DORA)
The European Digital Operational Resilience Act (DORA) entered into force in January 2025 and is directly applicable in the individual Member States. DORA is intended to strengthen the digital resilience of the European financial sector. Within its scope of application for financial sector companies, the regulation includes, among other things, requirements for the risk management of information and communication technology and for the monitoring of critical third-party information and communication technology service providers.
Under DORA there is a risk of violating legal requirements in case there is no adequate implementation of an OSS compliance management including tracking and ongoing monitoring of the OSS used within the company.
Cyber Resilience Act (CRA)
The European Cyber Resilience Act (CRA) entered into force in December 2024 and establishes a minimum level of IT security for all networked products available on the EU market. The CRA is a regulation that applies directly in the individual Member States. The CRA will be implemented in phases through the end of 2027. Through product requirements, the CRA includes IT security guidelines as part of the design and development process. In addition, the CRA contains requirements for addressing vulnerabilities and obligations regarding technical documentation, including the creation of a Software Bill of Materials (SBOM) listing (third-party) components. Furthermore, Chapter II of the CRA sets out a series of detailed obligations for manufacturers, importers, distributors, and managers of OSS.
Within the scope of the CRA, comprehensive OSS compliance management becomes mandatory. Affected companies are required, among other things, to create an SBOM containing OSS components and to keep it up to date.
Legal Risks in the Event of Legal Violations
Violations of the requirements set forth in the NIS 2 Directive, DORA, or the CRA may result in administrative fines. Furthermore, in the case of certain legal violations, the management of the respective companies may be held liable.
Conclusion and Strategic Recommendations
Given the specific requirements for the availability of critical infrastructure facilities and regulatory requirements for cybersecurity measures, OSS compliance in the critical infrastructure sector should be an integral part of risk management.
Our recommended measures for OSS compliance:
- Establishment of an interdisciplinary governance structure with defined responsibilities, specification of permitted and prohibited license types, approval processes, and company-wide OSS policies,
- Implementing processes for creating and maintaining SBOMs with OSS components, defining sensitive areas where OSS is not permitted ifnecessary, and managing vulnerabilities,
- Securing supply chains through contractual provisions regarding the transfer of OSS obligations, disclosure and SBOM update requirements, and liability rules.
Taylor Wessing supports clients at this intersection with combined expertise in IT law, IP strategy, and technical understanding to ensure innovations are legally compliant and sustainable.
