January 27, 2023

According to open-source leaders, the European Union’s planned Cyber Resilience Act (CRA), which aims to “bolster cybersecurity rules to ensure more secure hardware and software products,” could have serious consequences for open-source software.

The proposed Act is said to introduce CE marking for software products with four specific goals. Which manufacturers must improve digitally enhanced product security “across the entire life cycle?” The second goal is to create a “coherent cybersecurity framework” for determining compliance. The third goal is to improve product transparency when it comes to digital security, and the fourth goal is to allow customers to “securely use products containing digital elements.”

The issue raised by open-source leaders appears to be concerning free software developers who are unable to afford the new direct compliance costs for new cybersecurity requirements, conformity assessment, documentation, and reporting obligations. The additional costs are estimated to be EUR 29 billion ($31.54 billion). This would also result in higher consumer prices.

The CRA also intends to prohibit the sale of unfinished software for purposes other than testing. This has serious consequences for open-source software. The absence of unfinished software on the market can harm open-source software by reducing the number of potential contributors and users.

Others cannot use, modify, or improve on software that is not available. This can result in a lack of interest and engagement in the open-source community, slowing or even halting development. Furthermore, without access to the software, users may be unaware of its potential benefits, further limiting interest and engagement. Overall, the lack of completed software can limit the growth and impact of the open-source software community.

The sources for this piece include an article in Devclass.