The EU’s proposed Cyber Resilience Act (CRA), which aims to “bolster cybersecurity rules to ensure more secure hardware and software products,” could have severe unintended consequences for open source software, according to leaders in the open source community.
The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements “throughout the whole life cycle.” Second is to offer a “coherent cybersecurity framework” by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to “use products with digital elements securely.”
The draft legislation includes an impact assessment that says “for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations.” This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually.
The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is “deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe.”
He sets what he expects will be required of the Eclipse Foundation, including developing, documenting and implementing policies and procedures for “every project at the Eclipse Foundation.”
Milinkovich also notes that the CRA aims to restrict “unfinished software” so that it is “not available on the market for purposes other than testing.” Use of interim builds and software that is under intense development is common in the open source community, and licenses are not currently restricted to testing.
The Open Source Initiative (OSI) has submitted feedback to the European Commission asking for “further work on the Open Source exception to the requirements within the body of the Act.” The OSI would like responsibility for compliance to be removed from “any actor who is not a direct commercial beneficiary of deployment.”
Open source advocate and OSI standard director Simon Phipps said the legislation “may harm open source” and the current text of the legislation “will cause extensive problems for open source software,” partly because of ambiguities in the wording, and partly because it does not recognise “the way open source communities actually function.”
Olaf Kolkman, exec level advisor to the Internet Society, also expressed concerns saying that “the regulation should be modified to make it clear that software produced under an open source license and distributed on not-for-profit basis is out of scope for the regulation.”
It is a complex issue because use of open source software in the “digital elements” of products is commonplace.
Brian Fox, former chair of the Apache Maven project and now CTO and co-founder of devops company Sonatype, said the legislation might result in “Central, npm, PyPi and countless other repositories being suddenly inaccessible to the European Union, which would be disastrous for both the EU and for the ecosystem as a whole.” At the same time, he said that the draft law is “otherwise [a] very admirable piece of legislation that aims to increase the cybersecurity posture within digital products in a more advanced way than many of its counterparts.”
The question now is whether the EU can preserve the good intent of the legislation without the dire consequences feared by the open source community.