Open source developers have been granted a reprieve after European lawmakers reached an agreement on the terms of the Cyber Resilience Act (CRA).
An agreement between the EU Parliament and European Council was struck on Thursday 30 November that will fast-track the legislation to its final approval stage.
Under the CRA, more robust cyber security and resilience rules will require organizations to adhere to minimum standards to protect digital products, such as IoT devices.
Terms outlined in the regulation will force software and hardware manufacturers to adhere to a 24-hour disclosure rule for security vulnerabilities and provide a minimum five-year guaranteed patch support for products.
Once introduced, organizations operating in the EU will be required to implement changes to their security practices to comply with the regulation. Those who fail to meet standards within the allocated time frame could be fined up to 2.% of annual turnover.
Last-minute changes to the CRA mean stringent rules around open source software development will be somewhat relaxed, preventing fears over the bill’s potentially negative impact on the European ecosystem.
In its current iteration, the CRA will not specifically target open source software developers with stringent rules, according to EU lawmakers.
“In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this regulation,” the CRA states.
“This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.”
Nicola Danti, lead member of the European Parliament, said talks between the EU Parliament and Council will strike an adequate balance between robust regulation and flexibility for the open source ecosystem.
“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community, while keeping an ambitious European dimension," he said.
"Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”
Open source fears over the Cyber Resilience Act
RELATED RESOURCE
Read data protection use cases that will stop data breaches
The CRA has been the source of recurring political flashpoints in recent months, with open source figures across the EU voicing serious concerns over its heavy-handed approach to open source development.
In April, a host of industry bodies criticized the CRA, suggesting that the introduction of the legislation would harm innovation across the open source ecosystem across the union.
A key concern highlighted in this first pushback centered around proposals that would make developers liable for software vulnerabilities. Critics argued that the requirements would have a “chilling effect” on the industry.
In July, open source advocates once again hit out at the legislation ahead of a crunch vote in the European Parliament, arguing that the CRA represented a “death knell” for open source development in Europe.
The EU’s unwavering position throughout this period was a source of extreme frustration by members of the community, some of whom suggested that lawmakers were purposefully ignoring legitimate concerns.
-
Customer service workers were first on the AI chopping block, but now enterprises are backtrackingNews While businesses have been keen on replacing customer service workers with AI, adoption difficulties mean many are now backtracking on plans.
-
Data storage is dead, long live data managementAnalysis Pure Storage's flagship announcement at its annual conference was the Enterprise Data Cloud, but what makes it a "paradigm shifting" new approach to data storage and management?
-
AI-generated code is in vogue: Developers are now packing codebases with automated code – but they’re overlooking security and leaving enterprises open to huge risksNews While AI-generated code is helping to streamline operations for developer teams, many are overlooking crucial security considerations.
-
Redis unveils new tools for developers working on AI applicationsNews Redis has announced new tools aimed at making it easier for AI developers to build applications and optimize large language model (LLM) outputs.
-
‘Awesome for the community’: DeepSeek open sourced its code repositories, and experts think it could give competitors a scareNews Challenger AI startup DeepSeek has open-sourced some of its code repositories in a move that experts told ITPro puts the firm ahead of the competition on model transparency.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Want a return on your AI investment? Open source could be the key to success
News Organizations using open source AI tools are more likely to report a return on investment
-
The open source industry is booming as firms invest billions in ecosystem each yearNews Four-in-ten firms contribute open source code on a daily basis
-
AI 'slop security reports' are driving open source maintainers madNews Low-quality, LLM-generated reports should be treated as if they are malicious, according to one expert
-
"Markets do not stand still": The UK needs to up its game to fend off open source competitionNews Investment in the open source ecosystem needs to increase alongside broader government support
