EU’s Proposed Cyber Resilience Act Raises Concerns for Open Source and Cybersecurity
The EU is in the middle of the amendments process for its proposed Cyber Resilience Act (CRA), a law intended to bolster Europe’s defenses against cyber-attacks and improve product security. Without adopting changes to the proposed text, the act will have the opposite effect.
"Any open source developer soliciting donations or charging for support services for their software is not exempted and thus liable for damages if their product inadvertently contains a vulnerability which is then incorporated into a product, even if they themselves did not produce that product."
"Smaller organizations which produce open source code to the public benefit may have their entire operation legally challenged simply for lacking funds to cover their risks. This will push developers and organizations to abandon these projects altogether, damaging open source as a whole."
"It will also require manufacturers to report actively exploited, unpatched vulnerabilities to regulators."
"This requirement risks exposing the knowledge and exploitation of those vulnerabilities to a larger audience, furthering the harms this legislation is intended to mitigate."
"We call on the European Commission to take the concerns of the open source community and security professionals seriously and amend the proposal to address these serious concerns," states the blog post.