The head of Linux Foundation Europe took to the stage at Kubecon today to deliver an unscheduled call to action for the open source community to fix flaws in the EU’s planned Cyber Resiliency Act.
The Linux Foundation Europe was launched last September, to grow and nurture open-source projects in Europe.
But Gabriele Columbro in a surprise keynote this morning, warned attendees about the possible implications of the Cyber Resilience Act Brussels unveiled last September.
The EU, in common with the US and the UK, is looking to tighten up cyber resilience, including software supply chains. However, the EU’s draft text could potentially load liability and risk onto open source maintainers and distributors.
“We certainly commend the goals,” Columbro told the audience. “But there is a broad consensus in the open source community…that it might impact the very fabric of the open source community.”
This could extend to maintainers, foundations, and potentially package managers, he said. “Professionally I’m worried about the impacts on open source,” he said. “As an Italian citizen more broadly about the thriving European technology system which so much relies on open source.”
One of the problems with the act is a lack of clarity in the draft text. For example, it states: “In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.”
However, many project contributors do work for commercial organizations, potentially leaving them in an exposed position.
Columbro told DevClass, there are also concerns around the legislation’s proposals around upstream fixes for vulnerabilities and whether these should be made under the original license for the project.
As well as the potential for individual contributors to be caught out by the proposed legislation, the Linux Foundation was also concerned about the possibility of Europe becoming isolated from broader open source innovation. This could, ironically, undermine Europe’s own efforts around digital sovereignty, he suggested.
It was important that technical audiences, such as those at Kubecon, were aware of the potential implications of the CRA, he said, and could alert their organizations’ legal and public affair departments.
He added the organization was hearing some “positive things” from Brussels on the legislation, but that “like every law, it’s a matter of interpretation.” So, it’s important to have as much clarification as possible before it goes into effect.
By comparison, the White House cybersecurity strategy unveiled by Joe Biden in March, pledged to “reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”
It made clear that open source developers should not be held accountable for bad outcomes when their projects or components are integrated into commercial products.
For its part, the UK is carrying out a consultation on Cyber Resilience, and has asked for views on where responsibility should lie, with an official response due in the northern hemisphere summer.