Effects of Cyber Resilience Act(CRA) on Open Source Ecosystem

[OnkarRuikar]

What is it?

The Cyber Resilience Act (CRA) is a piece of legislation proposed by the European Commission to protect consumers and businesses from inadequate cybersecurity features of hardware and software products with digital elements. It makes manufacturers, importers, and distributors responsible for the cybersecurity of a product during the whole lifecycle of the product.
After the European Parliament and Council approves it, manufacturers of hardware and software products will have 24 months to comply and 12 months to start reporting the product vulnerabilities.

The discussion is mostly about how it will affect open source ecosystem.

What is affected?

There is a list of types of products that will come under CRA. They’ve been grouped in classes based on criticality.
Here are some of the types:

• Operating systems (desktop, mobile, and server)
• Web browsers
• Mobile device management software
• Network management software
• Remote access management software
• Firewalls
• Microcontrollers
• Microprocessors
• Automation and control systems
• ...

They have asserted that CRA will also be applicable to any software that involves commercial activity.

What is required?

Following are some of the requirements:

• For highly critical software mandatory EU certification is required.
• For class 2 software third party assessment is required.
• For class 1 software application of standards or third party assessment.
• Rest of the eligible software needs self-assessments.
• The risk assessment will have to be included in the technical documentation of the product.
• Third party components also need to be assessed.
• Reporting of found vulnerabilities within certain time frame to authorities.
• Obtain the CE mark by completing all the requirements. The mark will guarantee conformity with the CRA.
• ...

Above activity is to be done only on the final product that is making money. The obligation falls on the main manufacturer/seller/importer.

For more details refer the official Cyber Resilience Act page.

Repercussions

Apart from critical software(like OS and browsers), CRA will be applicable to other open source software because of involvement of commercial activity. For example, paid technical support, sponsorships, donations, and any sort of monetization. They’ve asserted that if anyone is making money with an open source product then it falls under CRA.

Following issues may arise:

1. Companies will be forced to use the only components/libraries that meet required security standards. So open source developers will have to additionally ensure their software meets all the standards because it may get used in different commercial products. Otherwise, the companies will have to copy and maintain or re-implement the components themselves to ensure the quality.
2. Audit costs, documentation, modifications in existing practices etc. will add to the development costs, and it will definitely fall on customers(international customers as well?). Although request for concessions is being made for open source projects but still it’ll cost some money. Small teams and individual developers may suffer the most.
3. If an open source developer releases a software using a license which takes security responsibility to comply with CRA, then users from rest of the world can also use it in legal matters. So, to minimize liability, should the developer release the software using two licenses one for EU and one for rest of the world? Or maintain two copies of the source code each with separate license?
4. Many develpers contribute to open source as a hobby for free. They would not want to be held liable, may not learn the standards and get their software assesed. Such developers outside the region may stop releasing products in EU region to avoid the trouble. Such products will not be made available in EU region. Developers inside the region will have to learn the standards and security practices to make open source contributions.
5. Many free software like some Linux distributions, package stores, and hobby projects that won’t comply will not be available in EU. The users may resort to VPNs to bypass the restrictions.
6. Platforms such as play stores, browsers providing plugins, GitHub, Sourceforge will be responsible for the software content they make available in EU region. These platforms will have to ask for compliance certificate from the developers to show/sell their product in the region.
7. Interest(contributions or donations) in open source software outside the EU region by users inside the region may fall. Because that software may not be usable/available in the region.
8. One of the motivation behind the CRA is to achieve digital sovereignty or digital autonomy. In their words it is putting borders on borderless Internet. It will be hard to maintain same code for different standards or for different regions. Will local software be promoted over international counterparts? Will it cause Internet fragmentation and software deglobalization?

• How do you think the CRA will affect open source software?
• Going forward which open source license will be better? Do we need a new license?
• How will it affect MDN Web Docs(considering MDN Plus)?

[teoli2003]

Hi @OnkarRuikar. It looks like MDN is not affected by this.

[OnkarRuikar]

Will CRA be applicable to paid installable Progressive Web Apps(PWA) and offline websites that give native application like experience?

[bsmth]

JYP has answered this in https://github.com/orgs/mdn/discussions/323#discussioncomment-4826200 so I'm closing now. Thank you for raising it, Onkar!