orcwg · rozhukov · May 30, 2025
diff --git a/questionnaires/oss-projects.md b/questionnaires/oss-projects.md
@@ -1,45 +1,54 @@
-# Questions to OSS projects
-
-* What questions regarding the commercial background arise for your project?
-
-* Do you know what your role will be under the CRA?
-
-* Is there anything that makes you feel that you have to fulfil the requirements of the CRA?
-
-* What guidance/standards would you need for voluntary compliance with the CRA requirements?
-
-* What help do you need most (from steward, manufacturer, regulators/authorities, sponsor companies, vulnerability program leaders, etc.) as a maintainer to make your project more attractive for your users, as they eventually may see CRA compliance as an adoption requirement?
-
-* Are there any support services that you are already receiving and if so, what are they?
-
-* Who do you receive this support from?
-
-* Could this support already help you fulfil the CRA requirements?
-
-* Do you want to be able to declare/respond that you as a contributor or individual maintainer are out of scope for CRA obligations? (yes/no question)
-
-* Can you imagine someone taking on the steward role for your project?
-
-* Can you imagine taking on the steward role yourself?
-
-* Who can you imagine as a steward for your project?
-
-* Could it be more than one steward?
-
-## Questions for potential stewards
-
-* What do you think makes you a steward?
-
-* What do you need from the open source developers to fulfil the CRA requirements?
-
-* What help do you  also need (from manufacturer,  regulators/authorities, sponsor companies, vulnerability program leaders, etc.) to fulfil CRA requirements?
-
-* What do you need to prove to the manufacturers that the open source components fulfil the requirements?
-
-* In the event that there is proof that an open source component fulfils the CRA requirements, is there a willingness to receive money for this as a steward (from the manufacturers) or to pay for it (to developers)?
-
-* Are there any requirements that you fear you will not be able to fulfil as a steward?
-
-* Are you afraid of any consequences if you as a steward don't meet CRA obligations?
-
-* What would you consider if somebody asks you to become a steward?
+# Questionnaire for OSS Projects Maintainers in terms of CRA
+## Introduction
+This questionnaire is designed to gather crucial insights from open source project maintainers regarding the EU Cyber Resilience Act (CRA). Your responses will help us understand challenges and needed guidance. This will inform our work across the ecosystem and with the European Commission to influence the CRA implementation and improvements.
+This questionnaire assumes you are familiar with the CRA. It is understood not all questions may be applicable, but please try to answer as many as possible.
+## 1. Role and Responsibilities
+    1.1. Do you know what your role will be under the CRA?
+    1.2. Do you want to be able to declare/respond that you as a contributor or individual maintainer are out of scope for CRA obligations? (yes/no question)
+    1.3. What questions regarding the commercial background arise for your project?
+    1.4. ++ Are you confident that you don’t have any obligations under CRA if you merely contribute to an open source project, but do not maintain it?
+    1.5. ++ Are you confident that you don’t have any obligations under CRA if you maintain an open source project, but do not monetise it?
+    1.6. ++ If you’re taking donations for an open source project that you maintain, do you assess they are lower, almost the same, bigger or significantly bigger than the actual costs of development and maintenance?
+## 2. Requirements
+    2.1. Is there anything that makes you feel that you have to fulfil the requirements of the CRA?
+    2.2. What guidance/standards would you need for voluntary compliance with the CRA requirements?
+    2.3. ++ Do you think you do almost everything already that’s needed to fulfill CRA requirements (even if voluntary)?
+    2.4. ++ Do you think requirements are significantly different depending on programming languages or technology stack (e.g, easier for Python because of package managers versus C/C++)?
+    2.5. ++ Do you think you need to perform obligatory conformity assessment because, e.g, your project is in the Important or Critical category?
+## 3. Stewards engagement
+    3.1. Can you imagine someone taking on the steward role for your project?
+    3.2. Can you imagine taking on the steward role yourself?
+    3.4. Who can you imagine as a steward for your project?
+    3.5. Could it be more than one steward?
+    3.6. ++ Do you feel joining one of the stewards will relieve you from most of the CRA responsibilities (even if voluntary)?
+    3.7. ++ Do you feel you must join one of the stewards (or become a steward) because of CRA?
+## 4. Support needed
+    4.1. What help do you need most (from steward, manufacturer, regulators/authorities, sponsor companies, vulnerability program leaders, etc.) as a maintainer to make your project more attractive for your users, as they eventually may see CRA compliance as an adoption requirement?
+    4.2. Are there any support services that you are already receiving and if so, what are they?
+    4.3. Who do you receive this support from?
+    4.4. Could this support already help you fulfil the CRA requirements?
+    4.5. ++ Do you feel the language or package manager ecosystem your project depends on will be able (or must) provide all necessary su
+
+# Questionnaire for potential OSS Stewards in terms of CRA
+## Introduction
+This questionnaire is designed to gather crucial insights from potential open source software stewards regarding the EU Cyber Resilience Act (CRA). Unlike a Manufacturer, the role of an OSS SW Steward is not mandatory. Your responses will help us understand challenges and needed guidance for those who consider themselves as a potential OSS SW Steward. This will inform our work across the ecosystem and with the European Commission to influence the CRA implementation and improvements.
+This questionnaire assumes you are familiar with the CRA. It is understood not all questions may be applicable, but please try to answer as many as possible.
+## 1. Role and Responsibilities
+    1.1. What do you think makes you a steward?
+    1.2. ++ Do you consider yourself a Manufacturer and a Steward , but for different projects?
+    1.3. ++ Is it difficult for you to become a Stewart because of the risk of being designated as a Manufacturer?
+    1.4. ++ Do you think you can as easily opt-out from as opt-in for the Steward role?
+## 2. Requirements
+    2.1. Are there any requirements that you fear you will not be able to fulfil as a steward?
+    2.2. Are you afraid of any consequences if you as a steward don't meet CRA obligations?
+    2.3. What do you need to prove to the manufacturers that the open-source components fulfil the requirements?
+    2.4. ++ How would you as an open-source software stewards demonstrate that you meet CRA obligations?
+    2.5. ++ Will it be hard to comply with vulnerability notification requirements (e.g, notify ENISA)?
+    2.6. ++ Are you comfortable with cooperating with authorities requirement? 
+## 3. Open Source Projects engagement
+    3.1. What do you need from the open-source developers to fulfil the CRA requirements?
+    3.2. What would you consider if somebody asks you to become a steward?
+    3.3. In the event that there is proof that an open-source component fulfils the CRA requirements, is there a willingness to receive money for this as a steward (from the manufacturers) or to pay for it (to developers)?
+## 4. Support needed
+    4.1. What help do you need (from manufacturer, regulators/authorities, sponsor companies, vulnerability program leaders, etc.) to fulfil CRA requirements?
+    4.2. ++ Do you think manufacturers must support stewards?