The European Union’s proposed Cyber Resilience Act (CRA) raises concerns for the open source industry, potentially impacting innovation and collaboration.
The European Union’s Cyber Resilience Act (CRA) is under scrutiny as open source developers and organisations express worries about its implications for the industry. The proposed regulation aims to enhance cybersecurity and establish common standards for digital products. However, there are significant issues that could hinder the future of open source in the EU and beyond:
Lack of Liability Exemptions: The current form of the CRA fails to provide clear exemptions for open source developers and maintainers. This omission raises questions about potential legal risks and liabilities for vulnerabilities found in open source code used in commercial products.
Discouraging Commercial Support: The CRA’s text may discourage commercial support of open source projects, which heavily rely on contributions from commercial entities. Unclear definitions of commercial activity and limitations on accepting donations could lead to project rejection of significant contributions, undermining collaboration and financial support.
Imperiled Vulnerability Disclosure: The proposed regulation requires immediate disclosure of vulnerabilities to the European Union Agency for Cybersecurity (ENISA), irrespective of the availability of a fix. This approach disregards coordinated disclosure practices, increasing the risk of exploits before security patches are developed.
The legislation is set for a vote in the parliament’s Industry, Research and Energy (ITRE) committee and, if unopposed, may be adopted without a full parliamentary vote. Urgent action is necessary to address the concerns raised:
Public Opposition: Industry bodies, including GitHub, need to voice their opposition to the proposed measure to protect the interests of the open source community.
Engaging European Parliament Members (MEPs): Developers, maintainers, and stakeholders should reach out to MEPs, urging them to investigate the potential consequences and ensure the voices of the open source community are heard.
Failure to address these concerns could result in significant ramifications:
Fragmented Community: Penalising open source developers and maintainers may lead to a fragmented community, hindering vital projects across critical sectors such as healthcare and infrastructure.
Restricted Access: Non-EU open source producers may avoid the EU market, limiting access to important projects and repositories.
Diminished Contributions: Concerns about legal risks and liabilities may discourage developers from contributing to and maintaining open source projects, impacting innovation and collaboration.
The open source industry must take immediate action to safeguard the future of open source in the EU and maintain global collaboration and innovation.