Open source developers have been granted a reprieve after European lawmakers reached an agreement on the terms of the Cyber Resilience Act (CRA).
An agreement between the EU Parliament and European Council was struck on Thursday 30 November that will fast-track the legislation to its final approval stage.
Under the CRA, more robust cyber security and resilience rules will require organizations to adhere to minimum standards to protect digital products, such as IoT devices.
Terms outlined in the regulation will force software and hardware manufacturers to adhere to a 24-hour disclosure rule for security vulnerabilities and provide a minimum five-year guaranteed patch support for products.
Once introduced, organizations operating in the EU will be required to implement changes to their security practices to comply with the regulation. Those who fail to meet standards within the allocated time frame could be fined up to 2.% of annual turnover.
Last-minute changes to the CRA mean stringent rules around open source software development will be somewhat relaxed, preventing fears over the bill’s potentially negative impact on the European ecosystem.
In its current iteration, the CRA will not specifically target open source software developers with stringent rules, according to EU lawmakers.
“In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this regulation,” the CRA states.
“This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.”
Nicola Danti, lead member of the European Parliament, said talks between the EU Parliament and Council will strike an adequate balance between robust regulation and flexibility for the open source ecosystem.
“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community, while keeping an ambitious European dimension," he said.
"Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”
Open source fears over the Cyber Resilience Act
RELATED RESOURCE
Read data protection use cases that will stop data breaches
The CRA has been the source of recurring political flashpoints in recent months, with open source figures across the EU voicing serious concerns over its heavy-handed approach to open source development.
In April, a host of industry bodies criticized the CRA, suggesting that the introduction of the legislation would harm innovation across the open source ecosystem across the union.
A key concern highlighted in this first pushback centered around proposals that would make developers liable for software vulnerabilities. Critics argued that the requirements would have a “chilling effect” on the industry.
In July, open source advocates once again hit out at the legislation ahead of a crunch vote in the European Parliament, arguing that the CRA represented a “death knell” for open source development in Europe.
The EU’s unwavering position throughout this period was a source of extreme frustration by members of the community, some of whom suggested that lawmakers were purposefully ignoring legitimate concerns.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Redis unveils new tools for developers working on AI applicationsNews Redis has announced new tools aimed at making it easier for AI developers to build applications and optimize large language model (LLM) outputs.
-
‘Awesome for the community’: DeepSeek open sourced its code repositories, and experts think it could give competitors a scareNews Challenger AI startup DeepSeek has open-sourced some of its code repositories in a move that experts told ITPro puts the firm ahead of the competition on model transparency.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Want a return on your AI investment? Open source could be the key to success
News Organizations using open source AI tools are more likely to report a return on investment
-
The open source industry is booming as firms invest billions in ecosystem each yearNews Four-in-ten firms contribute open source code on a daily basis
-
AI 'slop security reports' are driving open source maintainers madNews Low-quality, LLM-generated reports should be treated as if they are malicious, according to one expert
-
"Markets do not stand still": The UK needs to up its game to fend off open source competitionNews Investment in the open source ecosystem needs to increase alongside broader government support
-
Open source advocates "cautiously optimistic" about Cyber Resilience Act after industry pushback prompts changesNews Amendments to the Cyber Resilience Act in December curtailed the potential impact on open source developers in the region, an industry body has said
