Reprieve for open source industry as agreement reached on Cyber Resilience Act
The Cyber Resilience Act has been maligned by open source advocates across Europe


Open source developers have been granted a reprieve after European lawmakers reached an agreement on the terms of the Cyber Resilience Act (CRA).
An agreement between the EU Parliament and European Council was struck on Thursday 30 November that will fast-track the legislation to its final approval stage.
Under the CRA, more robust cyber security and resilience rules will require organizations to adhere to minimum standards to protect digital products, such as IoT devices.
Terms outlined in the regulation will force software and hardware manufacturers to adhere to a 24-hour disclosure rule for security vulnerabilities and provide a minimum five-year guaranteed patch support for products.
Once introduced, organizations operating in the EU will be required to implement changes to their security practices to comply with the regulation. Those who fail to meet standards within the allocated time frame could be fined up to 2.% of annual turnover.
Last-minute changes to the CRA mean stringent rules around open source software development will be somewhat relaxed, preventing fears over the bill’s potentially negative impact on the European ecosystem.
In its current iteration, the CRA will not specifically target open source software developers with stringent rules, according to EU lawmakers.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this regulation,” the CRA states.
“This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.”
Nicola Danti, lead member of the European Parliament, said talks between the EU Parliament and Council will strike an adequate balance between robust regulation and flexibility for the open source ecosystem.
“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community, while keeping an ambitious European dimension," he said.
"Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”
Open source fears over the Cyber Resilience Act
RELATED RESOURCE
Read data protection use cases that will stop data breaches
The CRA has been the source of recurring political flashpoints in recent months, with open source figures across the EU voicing serious concerns over its heavy-handed approach to open source development.
In April, a host of industry bodies criticized the CRA, suggesting that the introduction of the legislation would harm innovation across the open source ecosystem across the union.
A key concern highlighted in this first pushback centered around proposals that would make developers liable for software vulnerabilities. Critics argued that the requirements would have a “chilling effect” on the industry.
In July, open source advocates once again hit out at the legislation ahead of a crunch vote in the European Parliament, arguing that the CRA represented a “death knell” for open source development in Europe.
The EU’s unwavering position throughout this period was a source of extreme frustration by members of the community, some of whom suggested that lawmakers were purposefully ignoring legitimate concerns.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Customer service workers were first on the AI chopping block, but now enterprises are backtracking
News While businesses have been keen on replacing customer service workers with AI, adoption difficulties mean many are now backtracking on plans.
-
Data storage is dead, long live data management
Analysis Pure Storage's flagship announcement at its annual conference was the Enterprise Data Cloud, but what makes it a "paradigm shifting" new approach to data storage and management?
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risks
News While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Redis unveils new tools for developers working on AI applications
News Redis has announced new tools aimed at making it easier for AI developers to build applications and optimize large language model (LLM) outputs.
-
‘Awesome for the community’: DeepSeek open sourced its code repositories, and experts think it could give competitors a scare
News Challenger AI startup DeepSeek has open-sourced some of its code repositories in a move that experts told ITPro puts the firm ahead of the competition on model transparency.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
News A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Want a return on your AI investment? Open source could be the key to success
News Organizations using open source AI tools are more likely to report a return on investment
-
The open source industry is booming as firms invest billions in ecosystem each year
News Four-in-ten firms contribute open source code on a daily basis
-
AI 'slop security reports' are driving open source maintainers mad
News Low-quality, LLM-generated reports should be treated as if they are malicious, according to one expert
-
"Markets do not stand still": The UK needs to up its game to fend off open source competition
News Investment in the open source ecosystem needs to increase alongside broader government support