EU’s Cyber Resilience Act threatens open source developers

Share post:

The European Union’s (EU) Cyber Resilience Act (CRA), a piece of legislation that aims to improve cybersecurity across the bloc has been met with fierce opposition from the open source community, which fears that it will stifle innovation and make it more difficult to develop and maintain open source software.

One of the main concerns is that the CRA will impose too much bureaucracy and red tape on open source developers. For example, the law requires developers to provide risk assessments, documentation, conformity assessments, and vulnerability reporting for all “critical” software programs. This could be a major burden for individual developers and small organizations, which often lack the resources to comply with complex regulations.

Another concern is that the CRA does not adequately take into account the unique nature of open source software development. For example, open source software is often developed and maintained by a community of volunteers, rather than by a single company or entity. This makes it difficult to hold anyone accountable for compliance with the CRA.

Individual open-source developers may find relief, but organizations, businesses, and commercial entities engaged in open source are likely subject to the CRA. Compliance involves extensive documentation, risk assessments, and rapid vulnerability reporting.

Reporting zero-day vulnerabilities to a government agency within 24 hours has drawn criticism for being unrealistic. Many open-source and security organizations have expressed concerns about this practice, saying it is impracticable.

The open source community has called on the EU to amend the CRA to make it more flexible and accommodating of open source software development. However, the EU has so far resisted these calls. As a result, the open source community is facing an uphill battle to save itself from the CRA.

The sources for this piece include an article in TheRegister.

Featured Tech Jobs


Related articles

One billion dollar copyright infringement killed on appeal

The $1 billion copyright infringement verdict against Cox Communications was overturned by a federal appeals court, which ruled...

Serious IT incidents in Canadian financial sector almost tripled in 2023

MPs told there were 28 reportable Priority 1 IT incidents in 2023, up from 10 the y

Tech industry resists government requirement to report breach in 8 hours

The U.S. tech industry is facing a significant challenge with the proposed cyber incident reporting rules by the...

FTC says Microsoft’s layoffs at Activision Blizzard may threaten merger approval

The FTC has expressed dissatisfaction with Microsoft's layoffs at Activision Blizzard, challenging the integrity of the Microsoft-Activision deal....

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways