Cyber Resilience Act (CRA)

See the following -

Diverse Open Source Uses Highlight Need For Precision In Cyber Resilience Act

As the European Cyber Resilience Act (CRA) is entering into the final legislative phase, it still has some needs arising from framing by the Commission or Parliament that result in breakage no matter how issues within its scope are “fixed”. Here’s a short list to help the co-legislators understand the engagement from the Open Source community...OSI and the experts with whom they engage are not trying to get all of Open Source out of scope as maximalist lobbyists do for other aspects of technology. An exclusion from the regulation for Open Source software per se would open a significant loophole for openwashing. But the development of Open Source software in the open needs to be excluded from scope just as the development of software in private is. Our goal in engaging is just to prevent unintentional breakage while largely embracing the new regulation.

Read More »

The Cyber Resilience Act Introduces Uncertainty And Risk Leaving Open Source Projects

What might happen if the uncertainty persists around who is held responsible under the Cyber Resilience Act (CRA)? The global Open Source community is averse to legal risks and generally lacks access to counsel, so it’s very possible offers of source code will simply be withdrawn rather than seeking to resolve the uncertainty. The CRA rightly addresses the need for commercial suppliers to protect their customers from exploits and cyber attacks. But legislators have exposed the open development of software itself to the regulations rather than just the for-profit use of Open Source artifacts in the marketplace. They are incorrectly assuming that Dirk Riehle’s terminology calling single-company projects “commercial Open Source” means it’s possible to use the “commerciality” of an application to distinguish single-company activity from community projects, and by using the concepts of proprietary software to then define boundaries.

Read More »

Understanding the Cyber Resilience Act: What Everyone involved in Open Source Development Should Know

The European Union is making big changes to cybersecurity requirements with its proposed Cyber Resilience Act (CRA). You may have heard about the CRA’s potential impact on the open source ecosystem. But what does the Cyber Resilience Act mean for you? This post is an introduction to the Act and explains how it may affect the open source maintainers and developer community. Note that this post is based on a draft of the CRA from September 15, 2022. The Act is still in a draft stage and getting feedback, and its provisions may differ before it is passed into law. The Cyber Resilience Act was introduced by the European Parliament in September 2022. Its purpose is to establish cybersecurity requirements for devices and software marketed in the EU. Everybody who places digital products in the EU market will be responsible for additional obligations around reporting and compliance, such as fixing discovered vulnerabilities, providing software updates, and auditing and certifying the products.

Read More »