Commentary Regarding the Cyber Resilience Act
Towards the end of 2022, the European Commission published a draft for the Cyber Resilience Act (CRA), which is supposed to strengthen security-critical soft- and hardware in Europe. As a result, the damages caused by cybercrime are expected to decline. Overall, this is a very desirable goal yet it did not take long for the first concerns to be raised by the open source community.
Open source software benefits from its community, in regards to innovation as well as security. An active community guarantees not only a multi-eye principle during every stage of development but also so-called backdoors for maintenance, as proprietary software commonly uses them, are not even implemented to begin with. Thus, open source software can generally be considered more secure.
The current draft of the Cyber Resilience Act demands maximum security for all IT components, and contains obligations for self-certification for software providers to ensure compliance with the CRA. Generally, these are sensible and appropriate requirements, nonetheless these criteria are not fully applicable to open source companies which largely are small-to-medium enterprises. Even though there is an exception for open source in recital 10 of the preamble, in which is stated that “[i]n order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation” only to be infringed upon right after. The later restriction on the exception within the same recital then states that the Regulation will also apply to software for which commercial technical support is available. In most cases, this precisely constitutes the core of the business model of companies in this industry. Amongst others, the Open Source Initiative sees the biggest problem for open source in Europe in this part. Hence, Simon Phipps wrote extensive feedback for the current CRA-draft on 23 January, 2023. Similar statements have been issued by OpenForum Europe and the Open Source Business Alliance (OSBA).
This particular subject matter is being intently discussed by the OSBA as definitions and wording remain problematic for open source companies. For instance, the draft defines “manufacturers” not only as the companies/organisations who actually develop the software but also those who import or distribute any given software as stated in article 15. As a result, distributors would be liable and responsible to the same extent as the actual manufacturer. Same goes for any natural or legal person who undertakes substantial changes of the code (art. 16). It is going to be very difficult for these so-called “manufacturers”, who usually are rather small companies in the open source context, to achieve full compliance with the superimposed obligations, such as resilience against denial-of-service-attacks. Furthermore, the suggested level of penalties seem to be oriented towards the financial resources of big enterprises. The draft mentions penalties of up to 15 million or 2.5% of the total worldwide turnover of the previous year (the higher amount respectively) as mentioned in article 53.3.
In general, the Cyber Resilience Act is a positive development as each effort to increase security in critical areas, especially in the context of ongoing conflicts, represents an effort to strengthen democracy. Nonetheless, we must be careful to not throw the baby out with the bathwater. The CRA must not lead to manufacturers being fearful of releasing their software for the European market, nor lead to the erasure of smaller European companies in the software industry. The most important field of work for DAASI International – IAM – falls under class 1 (security-) critical products as listed in annex III of the CRA, and therefore also is immediately relevant to us. Thus we will actively observe all developments in this matter.