EU’s proposed Cyber Resilience Act raises alarms in the open source industry
The European Union’s Cyber Resilience Act (CRA) is under scrutiny as open source developers and organisations express worries about its implications for the industry. The proposed regulation aims to enhance cybersecurity and establish common standards for digital products. However, there are significant issues that could hinder the future of open source in the EU and beyond.
The current form of the CRA fails to provide clear exemptions for open source developers and maintainers.
This omission raises questions about potential legal risks and liabilities for vulnerabilities found in open source code used in commercial products.
The CRA’s text may discourage commercial support of open source projects, which heavily rely on contributions from commercial entities.
The proposed regulation requires immediate disclosure of vulnerabilities to the European Union Agency for Cybersecurity (ENISA), irrespective of the availability of a fix. This approach disregards coordinated disclosure practices, increasing the risk of exploits before security patches are developed.
The legislation is set for a vote in the parliament’s Industry, Research and Energy (ITRE) committee and, if unopposed, may be adopted without a full parliamentary vote.
Industry bodies, including GitHub, need to voice their opposition to the proposed measure to protect the interests of the open source community. Developers, maintainers, and stakeholders should reach out to MEPs (members of the European Parliament), urging them to investigate the potential consequences and ensure the voices of the open source community are heard.
Failure to address these concerns could result in significant ramifications.
Penalising open source developers and maintainers may lead to a fragmented community, hindering vital projects across critical sectors such as healthcare and infrastructure. Non-EU open source producers may avoid the EU market, limiting access to important projects and repositories. Concerns about legal risks and liabilities may discourage developers from contributing to and maintaining open source projects, impacting innovation and collaboration.
The open source industry needs to take immediate action to safeguard the future of open source in the EU and maintain global collaboration and innovation.