The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community.
What is the EU's Cyber Resilience Act (CRA)?
The EU's proposed Cyber Resilience Act (CRA) aims to enhance cybersecurity rules to ensure more secure hardware and software products. Its four main objectives include requiring manufacturers to improve product security throughout the entire life cycle, establishing a coherent cybersecurity framework for compliance measurement, enhancing transparency of digital security in products, and enabling customers to use products with digital elements securely.
How will the CRA impact open source software?
The CRA could have significant unintended consequences for open source software, as it may impose compliance costs that many free software developers cannot afford. The legislation could alter the fundamental social contract of open source, which allows software to be provided for free and modified without liability. This change could hinder innovation and create barriers for smaller projects that rely on limited funding.
What are the compliance costs associated with the CRA?
The compliance costs for businesses due to the CRA are estimated to be around EUR 29 billion ($31.54 billion), which includes direct costs for new cybersecurity requirements and documentation. This increase in compliance costs may lead to higher prices for consumers, although legislators anticipate potential cost reductions from fewer security incidents, estimated at EUR 180 to 290 billion annually.
Sign in with LinkedIn