Non-commercial FOSS development is excluded from the scope of the EU Cyber Resilience Act, and so are individual volunteer developers. Businesses are not. But where is the line between an incorporated FOSS community and an open source business? Depending on the answer, making FOSS releases comes with significant obligations like implementing maintenance and vulnerability reporting processes, self or third party certifications or providing patches for the 5 years or more lifecycle of the product. This will impact the viability of some FOSS development models like that of part-time maintainers supported by donations, or business-sponsored communities. The governance setup of FOSS projects may have to be sharpened to match the roles required in the law. The presentation will break down the obligations, when and how they apply and what actions communities can take to handle them.