EU Prepares Cyber Resistance Law: Impact on Open Software & Safety?

The European Union has been developing the Cyber Resilience Act (CRA) for over six months to protect Europe from cyber attacks and increase the safety of products, including devices in the Internet of Things (IoT), computers, and smartphones. However, concerns have been raised that the law could damage open-source software developers and increase the risk of disclosing vulnerabilities.

The non-profit human rights organization, EFF, has criticized individual clauses within the bill. The law provides liability for commercial activities that display vulnerable products to the market. Open-source software, which is funded by donations, grants, and sponsors, is the foundation of the modern internet. Unfortunately, the law defines commercial activities too broadly, which does not exempt open software developers from liability, even if they do not receive direct funding. EFF calls on the EU to release open software developers from responsibility, especially when they work on projects in the public interest.

The new law also requires the developers of software to disclose actively operated vulnerabilities to the European cybersecurity agency (Enisa) within 24 hours, who then shares this information with national security authorities. While this requirement could stimulate companies to identify and eliminate vulnerabilities faster, it creates risks for those who care about their product’s safety.

If vulnerabilities are disclosed in such a short time frame, it can provoke attackers and lead to more significant problems. EFF suggests that the EU should not impose stiff terms for solving security problems and report actively operated vulnerabilities only after they are corrected. They also insist on reporting vulnerabilities publicly, not just in special departments.

EFF urges the EU to be cautious about the bill’s clauses and consider the harm they could impose on open software developers. While increasing security measures is crucial, it should not compromise the safety of products or jeopardize those who genuinely care about security.

/Reports, release notes, official announcements.