The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community.
What is the EU's Cyber Resilience Act (CRA)?
The EU's proposed Cyber Resilience Act (CRA) aims to enhance cybersecurity rules to ensure more secure hardware and software products. Its four main objectives include requiring manufacturers to improve product security throughout the entire life cycle, establishing a coherent cybersecurity framework for compliance measurement, enhancing transparency of digital security in products, and enabling customers to use digital products securely.
How might the CRA affect open source software?
The CRA could impose significant compliance costs on software developers, including those in the open source community. This raises concerns about the sustainability of open source projects, as many lack the funding to meet new cybersecurity requirements. Leaders in the open source community worry that the legislation could alter the foundational principles of open source software, which is typically provided for free and without liability.
What are the estimated costs associated with the CRA?
The CRA is estimated to incur a total compliance cost of around EUR 29 billion ($31.54 billion), which includes direct costs for new cybersecurity requirements and reporting obligations. This could lead to higher prices for consumers. However, legislators anticipate potential cost reductions from preventing security incidents, estimated between EUR 180 to 290 billion annually.