In its current form, the European Union’s Cyber Resilience Act (CRA) would impose a major burden on open source contributors, developers, and non-profit foundations, says Linux Foundation Europe.
Ends vs. Means
"The policy goals of the CRA — reducing vulnerabilities in digital products, ensuring cybersecurity is maintained throughout a product’s life cycle, and enabling users to make informed decisions when selecting and operating them — are widely supported, including by LF Europe," the organization says. However, “major concerns remain about how the CRA aims to achieve these goals, especially in the context of the open source ecosystem."
In a previous article, we noted some of these concerns, as described by organizations including the Python Software Foundation (PSF), which found “issues that put the mission of our organization and the health of the open source software community at risk,” according to Deb Nicholson, Executive Director of the PSF.
“The CRA could bring support to open source developers maintaining the critical foundations of our digital society. But instead of introducing incentives for integrators or financial support via the CRA, the current proposal will overload small developers with compliance work,” says NLnet Labs.
As Steven J. Vaughan-Nichols puts it, “pretty much everyone with an open source clue sees it as strangling open source software development.” One problem, he says, “is that everyone who publishes software via the Internet is potentially liable for CRA penalties. Don't live in the EU? Too bad. That doesn't count.”
The act is moving through the legislative process and “will soon enter the EU trilogue phase, which is the last step before the EU parliament will vote on the CRA in the plenary,” explains LF Europe, which is now “calling for the broader community to take immediate action.”
“Whether you are an individual contributor, a corporation contributing to or relying on open source, or a public sector representative, your active participation matters. We encourage you to vocalize your concerns,” the organization says.
Learn more at LF Europe.
- Open Source and the CRA: It Will Not Work — Linux Foundation
- Open Source Development Threatened in Europe — The New Stack
- Potential Impacts of Cyber Resilience Act on Open Source Projects — FOSSlife
- Understanding the Cyber Resilience Act: What Everyone involved in Open Source Development Should Know — Linux Foundation
Contact FOSSlife to learn about partnership and sponsorship opportunities.