Reprieve for open source industry as agreement reached on Cyber Resilience Act

Open source developers have been granted a reprieve after European lawmakers reached an agreement on the terms of the Cyber Resilience Act (CRA). 

An agreement between the EU Parliament and European Council was struck on Thursday 30 November that will fast-track the legislation to its final approval stage.

Under the CRA, more robust cyber security and resilience rules will require organizations to adhere to minimum standards to protect digital products, such as IoT devices.

Terms outlined in the regulation will force software and hardware manufacturers to adhere to a 24-hour disclosure rule for security vulnerabilities and provide a minimum five-year guaranteed patch support for products.

Once introduced, organizations operating in the EU will be required to implement changes to their security practices to comply with the regulation. Those who fail to meet standards within the allocated time frame could be fined up to 2.% of annual turnover. 

Last-minute changes to the CRA mean stringent rules around open source software development will be somewhat relaxed, preventing fears over the bill’s potentially negative impact on the European ecosystem.

In its current iteration, the CRA will not specifically target open source software developers with stringent rules, according to EU lawmakers.

“In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this regulation,” the CRA states.

“This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.”

Nicola Danti, lead member of the European Parliament, said talks between the EU Parliament and Council will strike an adequate balance between robust regulation and flexibility for the open source ecosystem. 

“We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community, while keeping an ambitious European dimension," he said.

"Only together will we be able to tackle successfully the cybersecurity emergency that awaits us in the coming years.”

Open source fears over the Cyber Resilience Act

The CRA has been the source of recurring political flashpoints in recent months, with open source figures across the EU voicing serious concerns over its heavy-handed approach to open source development.

In April, a host of industry bodies criticized the CRA, suggesting that the introduction of the legislation would harm innovation across the open source ecosystem across the union.

A key concern highlighted in this first pushback centered around proposals that would make developers liable for software vulnerabilities. Critics argued that the requirements would have a “chilling effect” on the industry.

In July, open source advocates once again hit out at the legislation ahead of a crunch vote in the European Parliament, arguing that the CRA represented a “death knell” for open source development in Europe.

The EU’s unwavering position throughout this period was a source of extreme frustration by members of the community, some of whom suggested that lawmakers were purposefully ignoring legitimate concerns.