EU Cyber Resilience Act is a threat to open source in Europe, industry

EU Cyber Resilience Act is a threat to open source in Europe, industry

Image:
EU Cyber Resilience Act is a threat to open source in Europe, industry

Legislation, which passed last week, criticised for a lack of understanding of the open source model

Last week, the European Union passed the Cyber Resilience Act (CRA), legislation intended to enhance cybersecurity and protect digital products including IoT devices.

The Act was approved by EU member states, and will now be the subject of further negotiations in the European Parliament before becoming law. Upon entry into force, stakeholders will have 24 months in which to adapt to the new requirements.

Carme Artigas Brugal, state secretary for digitalisation and artificial intelligence, praised the CRA as advancing the EU's "commitment towards a safe and secure digital single market."

However, producers of open source software fear that their concerns have been ignored. They argue that in its current form, the CRA poses significant challenges to open source and could adversely affect companies involved in this sector, including those that use and contribute to open source software.

Joe Brockmeier, head of community at Percona, said the CRA could have damaging consequences if enacted. He described the process of drafting the Act as "rushed" with insufficient time for organisations and individuals to provide meaningful input.

"The Act's potential impact on open source software development is particularly worrying," Brockmeier said in an email to Computing.

"The CRA may classify upstream open source projects as 'commercial' if any contributors are paid to work on them, leading to unintended consequences and disadvantages for smaller players.

"The current draft poses a significant threat to open source software development. Its intended scope and impact is going to threaten open source development, disadvantage smaller players in the market, like Percona, and will likely do more harm than good."

A major issue is the proposed disclosure rules for security vulnerabilities. The CRA aims to force projects to report vulnerabilities to an EU institution within a matter of "hours", which contradicts industry practices and may have severe unintended effects.

Brockmeier pointed out that all software contains flaws, that it's always to some degree a work in progress, and that open source software is used in ways and in combination with other code that cannot be envisaged by its authors.

The CRA imposes "unrealistic standards around security that are ill-defined and likely impossible to meet," he said, warning that the Act might discourage development and innovation, and adding, "it is a real possibility that the CRA will drive some development and participation in open source out of Europe."

Amanda Brock, CEO of advocacy group OpenUK, criticised the CRA for carving out special provisions for SMEs while failing to do the same for open source foundations. She argued that this demonstrates a lack of understanding of how open source software functions, which could hinder the growth of European tech companies.

"The focus on SMEs rather than the nature of open source is extremely short-sighted and feeds into a cycle of perpetuating the lack of growth of European tech companies," said Brock.

She described the EU's approach as very prescriptive and top-down, and likely unworkable. "How are these [rules] actually going to be implemented? I suspect with great difficulty and very slowly."

She praised UK policymakers for their "more considered approach" to open-source software so far.

Brian Fox, CTO at Sonatype, also reacted with apprehension to the CRA's passing.

"[The] endorsement ... presents a clear threat to the future of open source. The CRA, as it stands, will discourage commercial support of open source, as well as developers from contributing to projects for fear of liability and will require hasty vulnerability disclosure that would increase the chances of bad actors exploiting bugs before they can be fixed."

It could also deter open source contributors from delivering new software and maintaining existing projects, he added, which would harm the EU economy and also any company that uses open source software around the globe.

It is estimated that up to 97% of today's software, including proprietary applications, uses some open source code.

"Open source projects underpin much of the software we use every day. It's the lifeblood of the internet," said Fox.

He added that he is among the individuals, companies and industry groups, including the Apache Foundation and GitHub, who have argued for a change of emphasis and wording to take account of the community-based and collaborative realities of open source software development.

Fox expressed the hope that these and other industry bodies would continue to speak out publicly on the CRA before it becomes law.