In July, the EU’s ITRE committee endorsed the Cyber Resilience Act (CRA), a legislation aimed at enhancing software security through mandatory CE marking on vendor products. This affects a broad range of software, from photo editors and smart speakers to operating systems.
Companies such as BMW, LibreOffice, or Apache OpenOffice, who provide software, will be impacted, as will European consumers or projects like Gaia-X who need to use CE marked software. The CRA impacts virtually all software creators and deployers.
The CRA’s objective is to diminish security risks by dictating how software is created. Similar to a US strategy, the software publisher is responsible for its security. However, the CRA introduces expensive and complicated documentation. The EU expects small companies to struggle to meet this requirement, hence open-source developers are also asked to provide these documents.
A clause in the CRA exempts non-commercial open-source software, but with ‘commercial’ defined broadly, almost all significant projects fall into this category, making open-source foundations or individual developers responsible for CE mark conformance.
The act raises issues for open-source software (OSS) projects as they may not know their end users, making it difficult to decide which certification to apply for or when to request a third-party audit.
The exhaustive documentation requirements of the CRA pose a challenge to
OSS organizations, which have limited personnel and numerous annual releases.
Moreover, the CRA’s demands can lead to fewer OSS releases, changes in proven
development processes, and restrictions on software builds,
curtailing best practices that have evolved over decades.
The CRA’s stipulation that all projects with paid developers are commercial could cause OSS to decline donations and contributions. The knock-on effect is less secure software due to inadequate funding for fixing security issues.
The CRA also introduces a central ENISA database for reporting all open security issues within 24 hours, threatening good security practices, and becoming a target for hackers. If replicated by other countries, we could see numerous databases of unpatched security issues worldwide.
The CRA’s implications are grave. Some open-source foundations may restrict EU downloads or ask EU nations to cover the costs of CE marks, which could halt open-source activities in the EU, increase software costs, and potentially remove software like PHP, Kubernetes or Linux from the EU market.