The Cyber Resilience Act: Bringing All Developers - Including Open Source - Under its Umbrella
The European Union’s Cyber Resilience Act (CRA) has stirred debate, particularly within the vibrant open source community. Concerns about stifling innovation and imposing undue burdens have been heard, loud and clear. However, a closer look at the latest draft (ST_17000_2023_INIT) reveals a nuanced picture, one that promises increased security for all – including open source software (OSS).
Remember: the CRA does not cover open-source software with no revenue model. However, if an OSS project offers paid support, cloud hosting, or enables other types of commercial activities, it falls under the purview of the Act.
Before we go further, let’s be clear: the CRA isn’t about punishing OSS software developers who commercialize their products. It’s about raising the bar for security across the board, ensuring everyone takes responsibility for the products they build. This includes open source developers, whose code often forms the foundation for commercial applications that we all benefit from.
Shifting the Paradigm: Shared Responsibility for Security
The interconnected world demands shared responsibility, and the CRA reflects this with its focus on the entire “supply chain” of software. This includes, crucially, open source developers.
Enter the Open Source Steward: The Helping Hand.
The concept of the “open source steward”, introduced in the latest version of the Act, is key to understanding the CRA’s approach to OSS.
Who is the “open source steward”?
“open-source software steward’ means any legal person, other than a manufacturer, which has the purpose or objective to systematically provide support on a sustained basis for the development of specific products with digital elements qualifying as free and open-source software that are intended for commercial activities, and ensures the viability of those products.” Art 3, paragraph 18a
Here’s a breakdown of the legal definition of “open-source software steward” in simple terms:
- Steward: Think of it like a dedicated guardian for a specific open-source software (OSS) used in commercial products.
- Not the manufacturer: The steward cannot be the company making the final product (e.g: the IoT device), that uses a specific OSS
- Purpose: Their main job is to support and maintain the OSS, ensuring it stays secure and functional for commercial use.
- Ongoing support: They’re like the mechanic who keeps the OSS engine running smoothly.
- Viability: They act as community leaders, attracting developers and resources to keep the OSS project healthy and active.
Stewards proactively manage the OSS, critically responsible for detecting and mitigating vulnerabilities, patching critical issues, and ensuring software compliance with the CRA’s basic security requirements.
No Financial Penalties, Just a Focus on Improvement
Here’s the kicker: non-compliance by open source software stewards will not lead to financial penalties:
“By way of derogation […], the administrative fines referred to in those paragraphs shall not apply to the following:
b) any infringement of this Regulation by open-source software stewards.”
Art 53, paragraph 10a.b
Benefits for All: A More Secure Open Source Ecosystem
The CRA’s approach to OSS brings tangible benefits:
- Enhanced Security: Improved vulnerability detection and patching will strengthen the entire open source ecosystem, making it more resilient to cyberattacks.
- Increased Trust: Consumers and businesses will gain greater confidence in using open source software, knowing it adheres to minimum security standards.
- Stronger Collaboration: The focus on stewards will foster closer cooperation between developers, security experts, and policymakers, leading to better security practices across the board.
The Cyber Resilience Act presents an opportunity for the open source community to step up and be recognized as a responsible player in the software landscape. By embracing the concept of stewards and collaborating with industry and policymakers, open source can continue to thrive while contributing to a more secure digital future for all.
Let’s not see the CRA as a threat, but as a catalyst for positive change. By working together, we can build a future where open source software is not just innovative, but also secure and trustworthy.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Please refer to the official CRA documents and consult with legal counsel for specific guidance.
Join the Discussion:
Chat with i46’s CEO: Erel Rosenberg
Find out more information on the Cyber Resilience Act here