CRA Updates: the open source community has been listened to

The European Union (EU) has recently demonstrated a proactive stance towards cybersecurity regulation, notably with the introduction of the Cyber Resilience Act (CRA). This legislative move underscores the EU's commitment to fortifying digital infrastructure in the face of evolving cyber threats. But as we all know, the risks for open source were very high, since the way it was drafted, the obligations of the CRA, instead of solely targeting companies deploying open Source software for profit, potentially ended up burdening developers and open source foundations. That’s why the EU's receptiveness to input from the open source community has a particular significance: it highlights the beginning of a collaborative approach to addressing cybersecurity challenges.

On December 1st, it was announced that the EU co-legislators had achieved a political agreement on the CRA and the concerns of the open source community have been taken into consideration. The updated legislation significantly enhances its provisions regarding the exclusion of open source projects, communities, foundations, and their platforms for development and package distribution. Additionally, it introduces a novel economic actor termed the "open source steward," recognizing the vital role played by foundations and platforms within the open source ecosystem. This marks the inaugural inclusion of such a provision in regulation, and its evolution will be closely observed. The Eclipse Foundation is committed to investing substantial effort into contributing to the refinement of this concept and its practical application to ensure alignment with the values of the open source community. Furthermore, the final revisions have extended the implementation phase to three years, suggesting that full compliance with the CRA is likely to commence in early 2027. For further insight, OpenForum Europe's recent press release on the CRA provides valuable context.

Read more from the Eclipse Foundation here

The engagement of European regulators with the open source community is a noteworthy development. Open source software, with its transparency, flexibility, and community-driven development model, offers unique advantages in enhancing cybersecurity resilience. The EU's willingness to solicit and consider input from the open source community reflects a recognition of the value of diverse perspectives in shaping effective cybersecurity policies.

Read more on the reactions of the main open source players

The Cyber Resilience Act, influenced by input from the open source community, embodies principles of transparency, accountability, and collaboration. By promoting open standards and interoperability, the CRA encourages the adoption of open source solutions in cybersecurity, fostering innovation and competition in the market. Additionally, the CRA's emphasis on information sharing and collaboration reflects the collaborative ethos of the open source community, facilitating collective action against cyber threats.

Read the open source Forum press release here

Looking ahead, continued collaboration between European regulators and the open source community will be vital in addressing the evolving cybersecurity landscape. As cyber threats become increasingly sophisticated, a proactive and collaborative approach to regulation is essential. open source community need to continue to dedicate time and effort to actively engaging with policymakers, offering explanations on how their ecosystems and technologies operate. On the other hand, by leveraging these efforts and knowledge, the EU can enhance its cyber resilience and safeguard its digital infrastructure for the future, identifying the correct liabilities and recognising all involved actors. As an example, let’s think of the endeavours of the Linux Foundation Europe over the last months with the #FixTheCRA campaign and of the commitment of the OpenSSF, a cross-industry Foundation, within the Linux Foundation, which aims to facilitate the sustainable management of open source software (OSS), ensuring its development, upkeep, and utilization are sustainable. This involves promoting teamwork, setting standards, and creating inventive solutions. 

First (amazing) steps were taken, but a lot is still to be done because although open source projects themselves won't need to directly adopt the processes outlined in the CRA (like holding  the CE mark), any commercial products based on these projects and offered in the EU will be required to comply: this entails the introduction of regulatory standards for secure software development. Mike Milinkovich, Executive Director of the Eclipse Foundation, states: “I predict this will put pressure on projects and communities to enhance their processes to assist in downstream commercialization.”

We are at an important milestone in the history of software, and we need to commit as developers and as citizens as well. As SparkFabrik, we are in.