Can open source be saved from the EU’s Cyber Resilience Act?

Opinion When I was in Bilbao recently for the Open Source Summit Europe event, the main topic of conversation was the European Union’s (EU) Cyber Resilience Act (CRA). Everyone – and I mean everyone – mentioned it. Why? Because pretty much everyone with an open source clue sees it as strangling open source software development.

As I’ve mentioned before, the open source community knew the CRA was bad news with a capital B. The hope was that the European Council (EC) could be persuaded to modify the CRA so that it wouldn’t be so onerous for open source developers. They failed.

Instead, on July 13, 2023, the EC approved a CRA draft that open source developers will find very hard to live with. While the draft is currently being bounced back and forth between agencies in Brussels, there’s no sign that things are getting any better for open source developers.

To be fair, CRA has the best of intentions. Its objective is to set forth stringent cybersecurity criteria for gadgets and applications sold within the EU. Every software publisher introducing digital goods into the EU marketplace must address identified security flaws, roll out software updates, and inspect and validate devices and software programs.

Software creators, rather than the end-users, are responsible for securing software. After all, the programmers are the best equipped to identify and rectify security weaknesses and publish patches.

And who can argue with that? Not everyone in the open-source community would. As Arpit Joshipura, the Linux Foundation’s senior VP of networking, said at the event, “There’s too much drama. We must look at the end goal. The end goal for all of us is the same. We want to secure software, and we want to secure open source software.”

The conflict is that the EU wants to do it via regulations with a “very hard line,” while the open-source community wants more flexibility.

And, I might add, they’d love it if EU officials had a clue about how open source really works. They don’t.

The problem is that everyone who publishes software via the Internet is potentially liable for CRA penalties. Don’t live in the EU? Too bad. That doesn’t count. As the Linux Foundation spells out in its CRA summary.

And what if you’re an individual developer of OSS? You are probably excluded by the CRA requirements, even if you occasionally accept donations. But if you regularly charge or accept recurring donations from commercial entities (for example, if you do open-source consulting), you’ll likely be covered by the CRA. As for nonprofit foundations developing open source: You will likely need to comply with the CRA requirements.

However, there are some potential amendments to the CRA, that, if passed, might exclude certain open source projects with a “fully decentralized development model” — ie, not controlled by a single company or entity. If you’re a private company developing, commercializing, or supporting open source software – you will very likely be covered under the CRA.

• EU puts smart device manufacturers on the hook for cyber security
• FOSS could be an unintended victim of EU crusade to make software more secure
• Python head hisses at looming Euro cybersecurity rules
• EU’s Cyber Resilience Act contains a poison pill for open source developers

So, how hard could it be to comply with this law? Far harder than most individual developers, programming organizations, and small or medium-sized businesses can cope with.

If you’ve contributed to a “critical” software program, which is essentially anything except high-level languages and libraries, you’re responsible for providing risk assessments, documentation, conformity assessments, and vulnerability reporting.

So, did you write documentation to go with your program? Yeah, that’s what I thought. But, there’s worse to come. If you discover that there’s a security hole in your program and someone’s exploiting it, you have 24 hours to notify the European Union Agency for Cybersecurity (ENISA).

Wait, you say, you want me to report zero days without fixes to a government agency? Yes, yes, they do. A host of open source and security organizations protested [PDF], saying: “Such recently exploited vulnerabilities are unlikely to be mitigated within such a short time, leading to real time databases of software with unmitigated vulnerabilities in the possession of potentially dozens of government agencies.”

The list goes on and on. It’s simply too much to expect the canonical random maintainer in Nebraska to comply with regulations from halfway around the world.

You see, the EU assumes all open-source developers are commercial programmers and that your Fortune 500 company will take care of all the CRA’s paperwork. Sure, some of us do work for IBM, Meta, or Google. Others still work on open source in their spare time or for Joe’s FixIt Software Shoppe.

The CRA simply doesn’t fit how open source really works. If you want to help before it’s too late and you find an EU notification in your email box from some agency you’ve never heard of informing you that you must comply or pay a penalty of €10,000 for that program you wrote in 2019, you must act now. The Linux Foundation Europe has numerous suggestions on what you can do.

Follow up. Now. ®