The European Union’s (EU) Cyber Resilience Act (CRA), a piece of legislation that aims to improve cybersecurity across the bloc has been met with fierce opposition from the open source community, which fears that it will stifle innovation and make it more difficult to develop and maintain open source software.
One of the main concerns is that the CRA will impose too much bureaucracy and red tape on open source developers. For example, the law requires developers to provide risk assessments, documentation, conformity assessments, and vulnerability reporting for all “critical” software programs. This could be a major burden for individual developers and small organizations, which often lack the resources to comply with complex regulations.
Another concern is that the CRA does not adequately take into account the unique nature of open source software development. For example, open source software is often developed and maintained by a community of volunteers, rather than by a single company or entity. This makes it difficult to hold anyone accountable for compliance with the CRA.
Individual open-source developers may find relief, but organizations, businesses, and commercial entities engaged in open source are likely subject to the CRA. Compliance involves extensive documentation, risk assessments, and rapid vulnerability reporting.
Reporting zero-day vulnerabilities to a government agency within 24 hours has drawn criticism for being unrealistic. Many open-source and security organizations have expressed concerns about this practice, saying it is impracticable.
The open source community has called on the EU to amend the CRA to make it more flexible and accommodating of open source software development. However, the EU has so far resisted these calls. As a result, the open source community is facing an uphill battle to save itself from the CRA.
The sources for this piece include an article in TheRegister.
