Despite opposition from many open source communities, and even called an "impending tragedy" by the Apache Software Foundation, the European Council meeting reached an agreement on the "negotiating mandate" of the Cyber Resilience Act ( CRA) , authorizing the Spanish presidency to negotiate the final version of the legislation with the European Parliament. The talks, dubbed a "trilogy", involve the European Commission, the European Parliament and the Council of the European Union.
The European Parliament's Industry, Research and Energy Committee (ITRE) approved the draft CRA by a vote of 61 to 1, with 10 abstentions . The draft regulations impose mandatory cybersecurity requirements on the design, development, production and marketing of hardware and software products , and the proposed regulations will apply to all products that are directly or indirectly connected to other devices or networks.
According to the introduction, the purpose of the legislation is to provide common security requirements for connected devices such as IoT products so that they are "secure throughout the supply chain and throughout their lifecycle." The aim is to end the ills of devices running insecure firmware, not being easily updated, or vendors paying little attention to security for products that have been withdrawn from the market. The legislation includes a CE marking to show that the product complies with the standard, and is therefore sometimes referred to as the "CE mark for software".
But this bill may bring unintended consequences and unbearable cost anxiety to the OSS community. Dirk-Willem van Gulik, vice president of public affairs at the ASF, noted that the CRA "is making a series of demands that either threaten the very fragile 'win-win' situation of open source contributions or our public resources, go against good industry practice, or are simply not possible, that is, it seeks to treat open source public resources on par with the commercial sector".
OSI also compiled responses and concerns about the proposed CRA earlier this year from projects and companies such as the Documentation Foundation (LibreOffice), Python Software Foundation, Electronic Frontier Foundation, RIPE, Linux Foundation, GitHub, Huawei, Microsoft, Sonatype, and others . The OpenInfra Foundation commented: "While the European Commission seeks to protect open source software (through the exemption expressed in Preamble 10), it has not consulted the wider open source community in the common legislative process, so the language used is likely to have the opposite effect".
According to Filezilla, a provider of the popular file transfer utility , "all open source software follows a fundamental principle: the producer makes the software free, but assumes no responsibility or warranty for its use. The CRA violates this principle by imposing unavoidable responsibilities on producers of free software." As a result, the project said it would suspend download permissions in protest.
The legislation has been amended several times since its initial draft, but Eclipse Foundation executive director Mike Milinkovich said in a brief that while the revisions made by the Internal Market and Consumer Protection Commission (IMCO) were "good for open source," the revisions by the leading ITRE committee were "very concerning." Milinkovich said the ITRE committee "reached the firm conclusion that most open source projects and all open source foundations are responsible for CE Mark conformance".
Mozilla has expressed similar concerns, and ITRE's amendment means that "open source projects with corporate developers as contributors will be subject to the CRA.
Percona community lead Joe Brockmeier told Dev Class that it's frustrating that legislative proposals are moving so quickly. He also worries that, despite some opposition from ASF, Eclipse, etc., "the industry response to date has not been strong enough to deal with the potentially very disruptive legislation that, if enacted, was enacted. The legislation under consideration was passed in haste and did not allow enough time for affected organizations and individuals to react. The current draft poses a significant threat to open source software development. Its intended scope and impact will threaten open source development, disadvantage smaller players in the market, such as Percona, and may do more harm than good. "
“Open source software works best when developers are able to collaborate regardless of employer or nationality. We’ve seen issues with encryption and US regulations before, as well as restrictions on working with people in sanctioned countries. EU requirements to report vulnerabilities to EU agencies can distort security vulnerability reporting. Projects subject to these restrictions, such as those that include European developers, can be bypassed.”
He believes that the CRA may dislodge some of the development and participation in open source. ""In the rush to do something for safety, it's important that we don't disrupt or compromise vital public resources that serve everyone equally. If the CRA cannot be stopped at this juncture, we must at least try to ensure it is improved before it is too late. "
In addition, OpenUK CEO Amanda Brock also revealed that they heard that suppliers will now directly prevent their code from entering Europe in a similar way to export control management. "This could seriously damage Europe's tech sector."
She added that although the EU's Open Source Projects Office has been in existence for five years, they are still focused on providing "exemptions" only for small and medium enterprises, which shows that the EU has a complete lack of understanding of how open source software works. "Focusing on SMEs without focusing on the nature of open source software is extremely short-sighted and creates a cycle of chronic lack of growth for European tech companies."
Further reading: