How Will the Cyber Resilience Act (CRA) Impact the Open-Source Community?
The European Union Cyber Resilience Act (CRA), expected to take effect in 2024, aims to establish strict cybersecurity requirements for software and other devices and products sold on the EU market.
To understand the full scope of the act, check out our complete guide. However, the long and short of it is this: All companies planning to sell and distribute commercial digital products on the EU market must follow new reporting and compliance obligations to ensure that their products are safe and secure for end users.
Vulnerabilities must be reported and mitigated swiftly, and all digital products connected to the Internet will have to go through more stringent auditing and certifying procedures.
But what does this mean for the vibrant and diverse open-source software (OSS) community? Let’s explore the implications of the Cyber Resilience Act on open-source projects, discussing the potential benefits, challenges, and steps that contributors and maintainers may need to take to comply with the new regulations.
Is Your Open-Source Project Covered by the CRA?
When examining the CRA and who it affects in the open-source space, the biggest differentiator is whether your open-source project is commercial or nonprofit.
Let’s start with the most basic participation in OSS development. If you’re an individual contributing to a project, you don’t have to worry about the CRA. Even if you occasionally accept donations for your work, individual contributors will most likely be exempt from adhering to CRA regulations. However, the CRA could affect you if you are charging a recurring rate for your OSS work or receiving recurring payments/donations from a commercial entity.
If you are the owner of an OSS project you provide to others, are you monetizing your work directly? If so, then the CRA will affect you. If you are a private company developing, funding, supporting, and commercializing open-source projects, you will certainly be covered under the CRA.
As many open-source creators are interpreting it, the bottom line seems to be this: If your open-source project is to be regulated by the CRA, it needs to be established that you are participating in some type of commercial activity.
Where Can Problems Be Expected?
The biggest issue with OSS is that the creators often don’t know how their code is used. The communities that create OSS usually do not dictate how it’s used. Therefore, how can upstream developers be responsible for their code if they don’t have any say in its downstream use?
According to Cheuk Ting Ho of the Python Software Foundation, the people monetizing the code should be responsible for upholding CRA regulations.
“Where do you put the liability? Do you put it on people who are writing code and putting it out for anybody to use and morph into whatever product that they're making, or do you put it on the people who are making the actual products—making money off those products? I think the liability should be put on the product.” she said at a recent Linux Foundation panel discussion.
“When those (open source) platforms are distributing software, should they be the ones who are verifying the security of it, or should it be the people who are taking that software at no cost and building it into the products? I think it needs to be on the assembly and deployment of the software rather than on the development,” she added.
As a representative in the panel discussion of a company that does benefit monetarily from OSS, Ericsson's Phil Robb agreed.
“The intent behind this regulation, I think, is very important. But it does go back to those that are actually receiving the benefit of income and revenue from the products, where they're leveraging that open source. They should be the ones that are responsible for it, and certainly, Ericsson is ready to take that responsibility with our products,” he said.
The core issue lies in the CRA's assumptions about software manufacturers, which don't necessarily apply to open-source software developers. Open-source developers, whether individuals or nonprofit organizations, often don't know who uses their software since it is freely available. Consequently, obligations like addressing vulnerabilities and providing security patches to users might be impractical for those offering free software unless they abandon the open-source model.
Many times, open-source developers can’t know all the potential applications of their code, unlike those who choose to integrate it into specific products. Therefore, placing requirements on the OS software's users might be more appropriate than the developers who freely share it.
Many young developers need to overcome confidence issues to contribute to OSS projects as is. With the CRA's impending adoption, members of the open-source community, including individual developers and open-source foundations, have voiced concerns about the CRA's obligations regarding open-source software. Some even believe that the CRA could stifle OSS development.
“I firmly believe that the Cyber Resilience Act (CRA) could have detrimental effects on open source projects, not just within the EU but globally as well. I think the initial absence of clear liability exemptions for open-source projects would unfairly burden developers who contribute without substantial financial backing. This could discourage participation, slow down innovation, and hinder the development of critical projects across various sectors, negatively impacting both developers and end users too,” said Stefan Chekanov, co-founder and CEO of Brosix.
Voicing Your Concerns as an OSS Creator
As noted, the CRA will soon be finalized and ratified. Now is the eleventh hour for OSS creators to have their voices heard. While many in the open-source community agree that cybersecurity regulations and standardization are much needed, they would like a solution that won’t significantly burden open-source organizations and individual developers.
“Thankfully, the latest revisions of the CRA specifically address the importance of open-source products in the software supply chain. In its currently approved form, the legislation aims to balance security requirements with the need to support collaborative, community-driven development. Several foundations are collaborating to establish common specifications and standards to meet the CRA requirements. I believe this is a step in the right direction; protections for open-source projects should be made while, of course, adhering to regulatory compliance,” Chekanov added.
One of the most active and vocal organizations is the Linux Foundation, which has enabled OSS stewardship for the CRA. Visit their website to learn how you can become more involved as an OSS creator and have your voice heard.