The EU Cyber-Resilience Act's approach to open source must be reconsidered
The draft EU Cyber-Resilience Act (CRA), backed by MEPs in July, is intended to reduce the risk of European citizens experiencing data breaches and malicious attacks on their devices. The CRA aims to achieve this by mandating security best practices across Europe’s tech industry. As part of this, it will enforce minimum security standards for end-user tech products sold across the EU, such as IoT devices, desktop computers, and smartphones.
To realise its goals, the CRA also needs to apply these standards to the software and hardware that make up the supply chains behind end-user products. However, along with commercial solutions within the software supply chain, the CRA is looking to apply these strict security standards to non-commercial open source projects and communities. This could place tens of thousands of volunteers at risk of legal action and do significant harm to the continent’s tech sector. The legislators behind the CRA need to urgently revisit how they treat open source software.