Cyber Resilience Act

The background, purposes and motivations for the proposed policy include: • Consumers increasingly become victims to security flaws of digital products (e.g. vulnerabilities), including of Internet of Things devices or smart devices. • Ensuring that digital products in the supply chain are secure is important for businesses, • Potential impacts of hacking include "severe disruption of economic and social activities across the internal market, undermining security or even becoming life-threatening". • Secure by default principles would impose a duty of care for the lifecycle of products, instead of e.g. relying on consumers and volunteers to establish a basic level of security. According to The Washington Post, the CRA could make the EU a leader on cybersecurity and "change the rules of the game globally". == Implementation and mechanisms ==

The policy requires software that are "reasonably expected" to have automatic updates should roll out security updates automatically by default while allowing users to opt out. When feasible, security updates should be separated from feature updates. Companies need to conduct cyber risk assessments before a product is put on the market and retain its data inventory and documentation throughout the 10 years Products assessed as 'critical' will need to undergo external audits. The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote was on 19 July 2023. The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements. == Reception ==

Initially, the proposed act was heavily criticized by open-source advocates. asking policy-makers to change the under-representation of the open source community. It finds that with the policy "[free and open source software,] more than 70% of the software in Europe[,] is about to be regulated without an in-depth consultation" and if implemented as written (as of April) would have a "chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU's own expressed goals for innovation, digital sovereignty, and future prosperity". and OSI submitted this information to the European Commission's request for input. • Although Mozilla "welcome[s] and support[s] the overarching goals of the CRA", it also criticised the proposal for unclear references to "commercial activity" that could include many open source projects (a viewpoint Ilkka Turunen of Computer Weekly repeated), misalignment with other EU rules, and requirements for the disclosure of unmitigated vulnerabilities. • Steven J. Vaughan-Nichols of The Register argued the CRA's "underlying assumption is that you can just add security to software" while "[m]any open source developers have neither the revenue nor resources to secure their programs to a government standard". • CCIA Europe warned that "the resulting red tape from the approval process could hamper the roll-out of new technologies and services in Europe". Amendments were released on 1 December 2023, as part of political agreement between co-legislators, As Mike Milinkovich, executive director of the Eclipse Foundation, wrote: Debian had previously stated that many small businesses and solo developers would have trouble navigating the act when redistributing open source software. OSI noted that this issue remained unaddressed. On 24 September 2024, the Eclipse Foundation launched the Open Regulatory Compliance working group to help open-source community participants navigate regulations and to facilitate dialogue with regulators. The group's initial focus is the CRA. == See also ==