Open source advocates "cautiously optimistic" about Cyber Resilience Act after industry pushback prompts changes

Changes made to the EU’s Cyber Resilience Act (CRA) have been welcomed by open source developers, who believe the updated legislation will be less deleterious to the ecosystem than its previous iterations.

The amended version of the CRA was published on 20 December 2023 and includes clarifications reducing the scope of the regulation, as well as a ‘light-touch and tailor-made regulatory regime’ for open source developers.

Thierry Carrez, general manager of the Open Infrastructure Foundation, said changes made to the CRA highlight the success of the pressure applied to the EU by open source advocates.

“It’s clear from reading the CRA version published on 20 December that the engagement of many open source advocacy groups — including the OpenInfra Foundation — has led to multiple clarifications regarding the openly developed open source model.”

Carrez said open source advocates are hopeful these clarifications will reduce the negative impact the CRA will have on open source software, which represents more than 70% of software used in European digital products.

"We’re cautiously optimistic that those clarifications will reduce the risk of CRA having global chilling effects around open source development and participation.”

He added, however, that open source community bodies will continue to lobby the EU in upcoming public discussions of the legislation.

“We will continue to be proactive and urgent in our advocacy for open source as CRA implementation plans and timelines are determined. In the near term, we’ll be participating in discussions at the EU Open Source Policy Summit and FOSDEM.”

The Cyber Resilience Act has been a minefield for open source devs

According to Carrez, this new legislation is not as threatening as the heavy handed approach previous iterations of the Act included since it was first unveiled in September 2022.

The legislation was intended to boost cyber security and add further protections to digital products like Internet of Things (IoT) devices that have caused a dramatic expansion in attack surfaces.

In addition, the CRA placed new obligations on open source developers to ensure any software developed for commercial products conforms to new rules by submitting documentation, risk assessments, and post-release security requirements.

These requirements were deemed overly demanding by industry experts who signed an open letter in April 2023 outlining their concerns to the European Parliament.  

“If the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global endeavor, with the net effect of undermining the EU’s own expressed goals for innovation, digital sovereignty, and future prosperity.”

This public outcry was successful in pushing the EU into amending the CRA so that some of the most severe restrictions placed on open source developers will be relaxed.

Some of the amendments made by the EU included tightening the definition of what constitutes commercial activity so that funding essential project support functions without the intention to profit is exempt. 

A clearer distinction between the development and supply phases was also implemented, whereby the regulation comes into effect when software is made available on the market in the course of commercial activity.

Another example involves a separate definition for Foundations that are now considered “open-source software stewards” and subject to a ‘light-touch and tailor-made regulatory regime’.