NEWS  Security  December 4, 2023  Reading time: 2 Minute(s)

Max (RS editor)

In a significant stride toward bolstering digital security, the European Union's Parliament and Council have come to an agreement on the Cyber Resilience Act (CRA). This much-anticipated security regulation is now on its way to final approval, bringing with it a set of rules that also exempt open source software.The origins of the CRA trace back to a proposal by the European Commission in September 2022. This comprehensive act extends mandatory cybersecurity requirements to cover a wide spectrum of products, from everyday devices like baby monitors to essential infrastructure such as routers.

Once the CRA is in force, which occurs 20 days after receiving approval from both Parliament and the Council, hardware and software manufacturers will face ambitious targets. These include a 24-hour disclosure period for any newly-discovered security flaws actively exploited, a commitment to providing five years of security patch support, meticulous documentation of all security features, and more.

Manufacturers, importers, and distributors will have a 36-month window to comply with these requirements, failing which they could incur fines of up to €15 million or 2.5 percent of their total worldwide annual turnover.

While the emphasis on enhanced cybersecurity is commendable, concerns have arisen regarding the potential impact of the CRA on open source software. This type of software is often maintained by a limited number of individuals, despite its significant role in larger products. Meeting tight deadlines for patches, documentation, and disclosure could pose challenges for open source maintainers.

These concerns gained traction as recently as October when it became apparent that the Commission had largely overlooked the open source community during the finalization of the Act.

Fortunately, the latest version of the CRA seems to address these apprehensions. The proposed version explicitly states that:

"Free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation"

This provision aims to protect innovation and research within the open source realm.

Nicola Danti, lead member of the European Parliament (MEP), emphasized the inclusive approach taken in the CRA agreement. He stated:

"We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community. Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years."

In conclusion, the Cyber Resilience Act marks a crucial step toward fortifying the digital landscape. Balancing stringent cybersecurity measures with the preservation of open source innovation, the agreement reflects a collaborative effort to address the evolving challenges of cybersecurity in the modern era.

 COVER IMAGE BY RAWPIXEL.COM ON FREEPIK