A Taipei developer publishes a small Python library on GitHub that lets factory PLCs talk to MQTT brokers more reliably. Anyone can use it, anyone can modify it, the licence is MIT. Three years later, the library is downloaded ten thousand times a month. The developer takes Patreon donations to keep the lights on. Is this in the CRA’s scope? 一個台北開發者在 GitHub 上發布一個小的 Python 函式庫,讓工廠的 PLC 跟 MQTT broker 講話更穩定。任何人能用、能改,授權是 MIT。三年後,函式庫每個月被下載一萬次。開發者收 Patreon 捐款貼補開銷。這個落在 CRA 範圍內嗎?
The CRA does not regulate free-and-open-source software unless it is “placed on the market in the course of a commercial activity” (Article 3(22) read with Recital 18). The whole open-source ecosystem turns on what those words mean. Section 3 of the Draft Guidance is the Commission’s answer. It breaks “commercial activity” into six sub-tests, each of which can independently push your project from out-of-scope into manufacturer-with-obligations. CRA 不監管 FOSS——除非它「在 commercial activity 之下被投入市場」(第 3 條第 22 項配合 Recital 18 讀)。整個開源生態系,全看這幾個字怎麼解。指引草案 §3 是執委會的答案。它把「commercial activity」拆成六道子測試,每一道都可以獨立把你的專案從「不在範圍內」推到「有義務的製造商」。
Sub-test 1子測試一Charging a price.收費。
If the FOSS publisher charges money for the software — for the whole product or just for some of its features — the software is placed on the market. The publisher is a manufacturer. End of question. 如果 FOSS 發布者對軟體收錢——不管是整個產品、還是某些功能——軟體就被投入市場。發布者就是製造商。沒得討論。
There’s a useful pattern the Commission acknowledges: the “community vs. paid” split. A publisher who offers a free community version and a paid version is publishing two different products. The paid version is on the market; the community version is not, even if the codebase is almost identical. The Commission walks through this in paragraph 49 of the Draft Guidance. Critically, if the publisher is a legal person, it picks up open-source steward obligations on the community version too — not manufacturer obligations, but a lighter set under Article 24. 執委會認可一個有用的模式:「community vs. paid」切分。一個同時提供免費 community 版本跟付費版本的發布者,是在發布兩個不同的產品。付費版本在市場上;community 版本不在,即使 codebase 幾乎一樣。執委會在指引草案第 49 段詳細談過這件事。要注意:如果發布者是法人,它在 community 版本上會接到 open-source steward 義務——不是製造商義務,是第 24 條下較輕的一套。
Sub-test 2子測試二Monetising other things through the software.透過軟體對「其他東西」變現。
The software itself is free, but it’s a vehicle for monetising something else. Three patterns the Commission spells out: 軟體本身免費,但它是替「其他東西」變現的載體。執委會明確點出三個模式:
Marketplace apps. A free FOSS marketplace app where users can buy goods or services through it — the publisher monetises the goods/services flowing through. Placed on the market. Marketplace apps。一個免費的 FOSS marketplace app,使用者可以透過它買商品或服務——發布者透過經過的商品/服務變現。被投入市場。
Freemium VPNs. A FOSS VPN where some servers are free and some require payment. The publisher monetises the premium servers through the free app. Placed on the market. Freemium VPN。一個 FOSS VPN,有些伺服器免費、有些要付費。發布者透過免費 app 對 premium servers 變現。被投入市場。
Personal data as condition of use. A free FOSS fitness app whose use is conditional on processing personal data for targeted advertising or unrelated analytics. The data is the price. Placed on the market. 把個人資料當使用條件。一個免費 FOSS 健身 app,使用前提是處理個人資料供 targeted advertising 或無關分析。資料就是代價。被投入市場。
There’s an important carve-out the Commission states explicitly: data processing for the purposes of improving the security, compatibility or interoperability of the software is not monetisation. So if your FOSS app processes telemetry only to find bugs and improve performance, you’re fine. The line is at where the data goes — back into the product, or out to advertisers. 執委會明確留下一個重要豁免:為了改善安全、相容性、互通性而處理個人資料——不算 monetisation。所以如果你的 FOSS app 處理 telemetry 只是為了找 bug、改善效能——沒問題。線畫在資料去哪裡——回到產品裡,還是去廣告主那邊。
Sub-test 3子測試三Support services.支援服務。
Many FOSS publishers offer paid support around their freely-licensed software. The Commission distinguishes between two patterns. If the FOSS itself can be downloaded and installed freely — and you can optionally pay for support — the FOSS is not on the market. The support service is its own thing. If, however, access to a particular version with particular benefits (technical assistance, performance optimisation, enterprise features) is conditioned on payment, that version is on the market. 很多 FOSS 發布者在自由授權的軟體周圍提供付費支援。執委會區分兩個模式。如果 FOSS 本身可以免費下載安裝——你可選付費取得支援——FOSS 不在市場上。支援服務是獨立的。但如果取得帶有特定好處(技術協助、效能優化、企業版功能)的特定版本,需要付錢——那個版本就在市場上了。
The pattern often called “open core” (free community + paid enterprise) clearly puts the enterprise version on the market. The community version’s status depends on whether it’s also independently being monetised — usually it isn’t. 通常稱為「open core」的模式(免費 community + 付費 enterprise),明確把 enterprise 版本放進市場。Community 版本的狀態看它有沒有獨立被 monetise——通常沒有。
There’s an additional carve-out for natural persons (Recital 15 of the CRA): if the price for support services serves only to recover actual costs — including the developer’s reasonable living expenses — this is not commercial activity. So a single developer charging for support to make rent is not turned into a manufacturer by virtue of charging for support. The threshold sits at “profit-seeking”, not at “any payment”. CRA Recital 15 給自然人留了一個額外豁免:如果支援服務的價格只是補償實際成本——含開發者合理的生活開銷——這不算 commercial activity。所以一個獨立開發者收支援費維持房租,不會因為「收費」就被變成製造商。門檻在「profit-seeking」,不在「有任何付款」。
Sub-test 4子測試四Donations.捐贈。
This is the most subtle of the six sub-tests. Recital 15 states: accepting donations without the intention of making a profit is not commercial activity. The Commission elaborates: the mere fact of including a donation link — even if donations exceed costs — should not be viewed as profit-seeking. Donations fluctuate; some flexibility is appropriate. A FOSS supported only through donations is unlikely to be on the market. 這是六道子測試裡最微妙的。Recital 15 說:接受捐贈、沒有營利意圖,不算 commercial activity。執委會延伸:附上捐贈連結這個事實本身——即使收到的捐贈超過成本——不應該被視為 profit-seeking。捐贈會波動;應該保留一點彈性空間。一個只靠捐贈支撐的 FOSS,不太可能在市場上。
Where it tips: when donations become de facto equivalent to charging a price. The Commission lists three triggers: 什麼時候會跨過去:當捐贈變成事實上等同於收費。執委會列出三個觸發點:
(i) Access to the FOSS, to essential functionalities, or to updates is in practice conditioned on making a donation. Example 15 in the Draft Guidance: a publisher provides downloads and security updates only to donors. Donors get the working product; non-donors get the source code on GitHub but no compiled binaries. That’s a price, called a donation. (i) 取得 FOSS、取得核心功能、或取得更新——實際上是看你有沒有捐贈的。指引草案 Example 15:一個發布者只提供下載跟安全更新給捐贈者。捐贈者拿到能用的產品;非捐贈者只拿到 GitHub 上的原始碼,沒有編譯好的 binary。那就是收費,披著捐贈的外衣。
(ii) Donations come with contractual benefits or exclusive advantages beyond “community perks”. A T-shirt or a Discord role is community perk. Pre-release access to features, dedicated support channels, or guaranteed bug-fix turnaround — that’s a paid benefit dressed as a donation tier. (ii) 捐贈帶有合約上的好處或獨佔優勢,超過了「community perks」。一件 T-shirt 或一個 Discord 角色,是社群福利(community perks)。功能搶先體驗、專屬支援頻道、保證的 bug 修復 SLA——那是付費好處,披著捐贈級距的外衣。
(iii) The way donations are organised demonstrates an intention to systematically generate profit, rather than to ensure the software’s sustainability and fair compensation for contributors. This is the wooliest of the three; the test is intent, expressed through structure. (iii) 捐贈的組織方式顯示出系統性產生利潤的意圖,而不是維持軟體永續性、給貢獻者公平報酬。三個觸發點裡最模糊的一個;測試的是「意圖」,透過結構表現出來。
Donations are out of scope until they look like a price. The Commission gives three signs that they’ve started to look like one. 捐贈在範圍外,直到它看起來像個價格。執委會給了三個訊號,讓你知道它什麼時候開始看起來像了。
Sub-test 5子測試五Financing — who paid for the development?資助——是誰付錢做開發的?
The mere fact that someone else — a company, a foundation, a government grant — paid for the development of the FOSS does not, by itself, place it on the market. Recital 18 of the CRA explicitly says financing circumstances should not determine the commercial nature of the activity. So a Taiwan engineer working on a FOSS library funded by a corporate sponsorship, or a foundation grant, or a Linux Foundation Mentorship, is not pushed into manufacturer territory just by accepting that funding. 某個其他人——公司、基金會、政府計畫——付錢做了這個 FOSS 的開發——這件事本身,不會把它推進市場。CRA Recital 18 明確說:資助情形不應決定該活動的 commercial 性質。所以一個台灣工程師靠企業贊助 / 基金會 grant / Linux Foundation Mentorship 的錢做一個 FOSS 函式庫——不會因為接了那筆錢就被推進製造商角色。
The trigger is not who funded the development, it’s how the resulting software is supplied. If it’s openly shared and freely available to use, modify, and redistribute, the funding source doesn’t matter. If access is restricted to the funder, or if the funder retains a private fork while the public version is crippled — that’s where things shift. 觸發點不是誰資助了開發,是「結果軟體怎麼被供應」。如果它公開分享、可以自由使用、修改、再散布——資助來源無關緊要。如果存取被限制給資助者,或者資助者保留一個 private fork、公開版本卻是殘缺版——事情就變了。
Sub-test 6子測試六Not-for-profit entities.非營利實體。
Recital 19 of the CRA carves out a special path for not-for-profit legal entities. Where any surplus generated by the entity is reinvested entirely in not-for-profit objectives — software development, infrastructure, sustainability of the project — the entity is not engaged in commercial activity, even if it monetises in some way. So an Apache Software Foundation, a CNCF, an Eclipse Foundation, can monetise without becoming a manufacturer, provided the surplus stays inside the not-for-profit purpose. CRA Recital 19 為非營利法人切出一條特別的路。如果該實體產生的任何盈餘,全部再投入非營利目標——軟體開發、基礎設施、專案永續性——該實體就不算進行 commercial activity,即使有某種程度的變現。所以 Apache Software Foundation、CNCF、Eclipse Foundation 可以變現、不會變成製造商——只要盈餘留在非營利目的之內。
This is structurally important for APAC: if you organise FOSS work through a not-for-profit incorporated locally (or through one of the well-known international foundations), you can sustain monetised activities — selling training, hosting events, collecting membership fees — without becoming the “manufacturer” of the software the foundation produces. 這對 APAC 在結構上很重要:如果你把 FOSS 工作組織在一個本地註冊的非營利組織下(或一個有名的國際基金會下),你可以維持有變現的活動——賣訓練、辦活動、收會費——不會變成基金會所產生軟體的「製造商」。
APAC implicationsAPAC 落地Three patterns from the Asian FOSS world.亞洲 FOSS 圈三個常見模式。
Pattern 1: The startup that “open-sources” its core. A Tokyo SaaS startup releases the core of their product as FOSS, while charging for the hosted version. Two products: the FOSS core (probably out of scope) and the hosted version (definitely on the market). The trap: many startups think putting their code on GitHub buys them out of CRA obligations entirely. It doesn’t — it just changes which of their products is regulated. 模式一:把 core「open-source」化的新創。一家東京 SaaS 新創把產品的 core 釋出為 FOSS,然後對 hosted 版本收費。兩個產品:FOSS core(可能不在範圍內)跟 hosted 版本(明確在市場上)。陷阱在這裡:很多新創以為把程式碼放 GitHub 就能買到完全的「不在 CRA 範圍內」——不會。它只是換了它哪個產品被監管。
Pattern 2: The Patreon-supported maintainer. A Taiwanese individual maintainer of a popular FOSS library accepts Patreon donations totalling around €30,000 a year. Recital 15 protects this: donations covering “reasonable living expenses” do not constitute commercial activity. The library is out of scope. The maintainer should however expect their downstream users to ask about CRA compliance — commercial users will care, even when the upstream doesn’t have to. 模式二:靠 Patreon 撐的個人維護者。一個台灣的個人 FOSS 函式庫維護者,年收 Patreon 捐贈大約 €30,000。Recital 15 保護這個:覆蓋「合理生活開銷」的捐贈不構成 commercial activity。函式庫不在範圍內。但維護者該預期下游使用者會問 CRA 合規——商業用戶會在乎,即使上游不必。
Pattern 3: The corporate-sponsored project foundation. Several Taiwan IoT vendors fund a foundation to develop a common FOSS framework. The foundation is registered as not-for-profit and reinvests all surplus. Sub-test 6 protects this. The foundation is not the manufacturer. But: each vendor that integrates the foundation’s framework into their commercial products is a manufacturer of the integrated product, with full CRA obligations on that integrated product. Foundation status protects the foundation, not the downstream integrator. 模式三:企業資助的專案基金會。幾家台灣 IoT 廠出錢成立一個基金會,開發共用的 FOSS 框架。基金會註冊為非營利,所有盈餘再投入。子測試 6 保護這個。基金會不是製造商。但:每一家把基金會框架整合進自己商業產品的廠商,都是「整合後產品」的製造商,對整合後產品有完整的 CRA 義務。基金會地位保護基金會,不保護下游整合者。
What to do tomorrow明天就做的事Run the six sub-tests on your FOSS project.對你的 FOSS 專案跑一次六道子測試。
Take your project. Answer six yes/no questions. (1) Do you charge for the software or any of its features? (2) Do you monetise other things through it — ads, in-app purchases, mandatory data processing? (3) Is access to a paid version conditioned on payment? (4) Are donations operating like a price? (5) Did the funding source come with strings that change how the software is supplied? (6) Are you a not-for-profit reinvesting surplus? 拿你的專案。答六個 yes/no 問題。(1) 你對軟體或其任何功能收費嗎?(2) 你透過它對其他東西變現嗎——廣告、應用內購、強制的資料處理?(3) 取得付費版本是不是看付不付錢?(4) 捐贈是不是在運作上像個價格?(5) 資助來源帶來改變供應方式的條件嗎?(6) 你是不是把盈餘再投入的非營利?
Any “yes” on (1) through (5) probably puts you on the market. (6) is a defence; not-for-profit status doesn’t cure (1) through (5), but it can protect a project that would otherwise be borderline. The classification is binary — on the market or not — but it follows from these six lines of evidence. Write your answers down. The document is your defence. (1) 到 (5) 任何一個 yes,你大概在市場上。(6) 是防禦;非營利地位不能「治癒」(1) 到 (5),但可以保護一個本來會在邊界的專案。分類是二元的——在市場上、或不在——但它從這六條證據線推導出來。把答案寫下來。文件就是你的防禦。