The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community.
What is the EU's Cyber Resilience Act (CRA)?
The EU's proposed Cyber Resilience Act (CRA) aims to enhance cybersecurity rules to ensure more secure hardware and software products. It has four main objectives: to require manufacturers to improve the security of products with digital elements throughout their life cycle, to provide a coherent cybersecurity framework for compliance measurement, to enhance transparency of digital security in products, and to enable customers to use products with digital elements securely.
How might the CRA affect open source software?
The CRA could have significant unintended consequences for open source software. Leaders in the open source community express concern that the compliance costs associated with the new cybersecurity requirements may be prohibitive for free software developers, who often lack funding. This could fundamentally alter the open source ecosystem, which traditionally operates under a model of free software provided for any purpose without warranty or liability.
What are the estimated costs of compliance with the CRA?
The draft legislation estimates that the total cost of compliance, including the burden on businesses and public authorities, could reach EUR 29 billion (approximately $31.54 billion). However, the legislators anticipate a potential reduction in costs from security incidents, estimated between EUR 180 to 290 billion annually. This raises concerns about how smaller organizations, particularly those in the open source community, will manage these compliance costs.
Sign in with LinkedIn