oss-sec mailing list archives
European Union Cyber Resilience Act (CRA)
From: "David A. Wheeler" <dwheeler () dwheeler com>
Date: Thu, 5 Oct 2023 11:08:51 -0400
Solar Designed posted on October 1, 2023:
The talk... starts with a mention of the European Union Cyber Resiliance Act (CRA) and how it is problematic for Open Source... (If we want to discuss in here, which I'm not sure of, please start a separate thread for this sub-topic, do not just reply to this one.)
Fair enough. The CRA *definitely* impacts open source software, and it includes security-related requirements. So it seems on-topic for this mailing list, at least to note that *many* people find the CRA concerning & to point to more information. I think a good place to start is "Understanding the Cyber Resilience Act: What Everyone involved in Open Source Development Should Know" from the Linux Foundation: https://www.linuxfoundation.org/blog/understanding-the-cyber-resilience-act As currently written, individual developers of OSS are "probably excluded by the CRA requirements, even if you occasionally accept donations. But if you regularly charge or accept recurring donations from commercial entities (for example, if you do open source consulting), you’ll likely be covered by the CRA." The bigger problem is that nonprofits & private companies are expected to a lot of things that don't make much sense. As noted, "the assumptions the CRA makes about software manufacturers do not necessarily hold for open source software developers." The Linux Foundation EU has a page about the CRA: https://linuxfoundation.eu/cyber-resilience-act ... it has many links, and is urging people work to #FixTheCRA. Many organizations *have* been trying to get EU regulators to fix the CRA. This isn't a case where no one spoke up. The problem is that for the most part their concerns have been ignored by regulators: https://www.globenewswire.com/news-release/2023/04/17/2647861/0/en/The-Eclipse-Foundation-and-Leading-Open-Source-Organisations-Deliver-Open-Letter-to-European-Commission-Regarding-the-Cyber-Resilience-Act.html I think the overall *goals* of the CRA are laudable. However, when evaluating laws & regulations you should always IGNORE their goals, because their goals are IRRELEVANT. What matters is what the laws and regulations will actually *CAUSE*. Put another way, RESULTS are the *only* legitimate basis for evaluating laws and regulations. In this case, I think too many regulators are focused on theoretical goals while ignoring what will actually happen. Full disclosure: I work for the Linux Foundation, but I'm just speaking for myself here. --- David A. Wheeler
Current thread:
- European Union Cyber Resilience Act (CRA) David A. Wheeler (Oct 05)
- Re: European Union Cyber Resilience Act (CRA) Katherine Mcmillan (Oct 05)
- Re: European Union Cyber Resilience Act (CRA) Fabian Keil (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Solar Designer (Oct 08)
- Re: European Union Cyber Resilience Act (CRA) Dirk-Willem van Gulik (Oct 09)
- Re: European Union Cyber Resilience Act (CRA) Jean Luc Picard (Oct 08)