Representatives of member states of the European Union (EU) reached a common agreement yesterday regarding the proposed Cyber Resilience Act (CRA).
The proposal of the CRA last year received a range of public commentary, from general praise for its goal to set better standards in software security to pointed criticism for its implied liability placed on open source projects and ambiguous language defining commercial versus non-commercial usage of open source.
As open source software comprises 90% of modern applications, punishment directed at open source developers and maintainers for erring outside the language of the law could stymie innovation and software development as we know it.
Early warnings
While the intent to improve cybersecurity and cyber resilience is an admirable and desirable objective, the vagueness of a law regarding an essential building block of software development could have detrimental unintended consequences. Sonatype’s CTO Brian Fox spelled this out in a blog post last December, saying the following:
“If open source producers and distributors who also derive commercial benefit from developing or distributing open source are suddenly liable for every defect and vulnerability within a public repository, the only logical conclusion is a balkanization of open source.”
As multiple European Union governing bodies discussed, debated, and amended last year’s CRA draft, the law’s language triggered mounting concerns from open source organizations, who published an open letter in April that expressed unease at the law’s potential “chilling effect” on open source software development.
Sonatype followed up on this commentary in order to help amplify the growing concern by the open source community. At that time, organizations including the Linux Foundation, Eclipse Foundation, Python Software Foundation, and many others were all sounding the alarm given the potential for open source software to be included in the commercial criteria laid out by the CRA.
The wrong solution to the right problem
The CRA has good intentions. All software should be secure by default and design. These principles are echoed in the National Cyber Security Strategy, the CRA, and many other iterations of national approaches to improving software security. However, as Sonatype highlighted in December 2022, “The seemingly purposeful omission of exemptions for open source would put undue onus on open source foundations and maintainers and poses a serious risk to not just EU innovation and security but global collaboration.”
As research supports nearly 96% of all vulnerable open source components downloaded have a fix available. Instead it is the consumption of open source software, and more specifically bad decisions by consumers of open source software, driving software security and supply chain risk. Open source represents a public good driven primarily by the donation of time and an almost idealized drive to make the world a better place through free software. Yet, the CRA targets this goodwill and punishes those with the least resources for the poor decision making by those with the most.
The future of open source
So, what does the future look like for a world post CRA?
Brian Fox summed this up earlier this week before the regulation passed:
“This situation not only undermines the spirit of open source but could bring about an open source crisis and isolate the EU from the rest of the world. Non-EU open source producers will avoid the EU market, meaning no access to Linux, Apache, Kubernetes and many other projects. Repositories like Maven Central, npm and PyPi may be prompted to ban EU consumption to avoid being considered a distributor. EU projects concerned about liability could pull their source code off the internet, and EU businesses may be forced to halt contributions to open source projects.”
The most likely outcome of the CRA will be open source contributors and projects simply walk away. Larger software manufacturers will incur increased costs and smaller firms won’t be able to compete. Regardless, significant disruption and chaos is all but inevitable. While that may not have been, and probably wasn’t the intent, it seems to be the most likely result.
Where do we go from here?
First, learn as much as you can about the impact the CRA will likely have on open source. To get a head start, we recommend these resources:
- Eclipse presentation (video): Update on the European Cyber Resilience Act
- Apache.org (blog): Save Open Source: The Impending Tragedy of the Cyber Resilience Act
- GitHub (blog): No cyber resilience without open source sustainability
We also recommend looking at the Tragedy of the Digital Commons written by Chinmayi Sharma. This detailed paper takes a look at the long history of commercial software manufacturers' side-stepping responsibility with a common review of how the government is shifting a focus toward software manufacturer liability.
Finally, as the CRA moves forward, Sonatype believes it’s important to understand the basics of the regulation, since it might have a long tail of reverberations in today’s software-driven world, especially with regard to the future of open source software in the EU. Below we provide an overview of the CRA in its approved state.
Fact sheet: CRA
The CRA is a cybersecurity regulation proposed by the European Commission and is meant to augment cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements.
The European Commission first proposed this law with a published draft on September 15, 2022, introducing it as a regulation for the European Parliament and European Council for horizontal cybersecurity requirements.
What is the intent of the CRA?
The CRA intends to combat threats affecting products with digital elements by bolstering the standards under which the products are developed and delivered.
The European Commission states the CRA’s two main objectives as the following:
- Create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle.
- Create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
The CRA’s requirements would be mandatory while also being complementary to existing European cybersecurity rules in hopes to strengthen the security of software supply chains.
Who falls under the authority of CRA?
The CRA applies to any commercial software product developed or sold in the EU with an exception for products “developed in a non-commercial setting.” For example, in the case of open source software, “where free and open source software is developed by a single organization or an asymmetric community, where a single organization is generating revenues from related use in business relationships, this should be considered to be a commercial activity.“
Manufacturers of any products with digital elements sold in the EU market will need to abide by the mandatory requirements stipulated in the CRA. As these manufacturers remain responsible for cybersecurity throughout each product’s lifecycle, they will need to report any actively exploited vulnerabilities or incidents.
Upon adoption of the CRA, manufacturers will have two years to adapt to the regulation’s requirements. However, the stipulation to report actively exploited vulnerabilities or incidents takes effect after one year.
When did the European Parliament vote on the CRA?
This month, political groups such as the European Council and the European Commission held final discussions of proposed changes to the CRA. On July 19, 2023, the European Parliament's Committee on Industry, Research, and Energy (ITRE) voted to adopt the rules of the CRA.
Following this vote and the agreements between EU governing bodies, the Spanish presidency will reportedly negotiate with the European Parliament on the final version of the legislation.
What further revision is expected to the CRA?
According to the fact sheet provided in September 2022, the European Commission intends to periodically review the CRA and report findings regarding its implementation and function.
