Cyber Resilience Act: EU Regulators Must Strike the Right Balance to Avoid Open Source Chilling Effect

Written by

The Cyber Resilience Act is unprecedented legislation in the Internet of Things (IoT). Europe’s proposed regulation will establish minimum cybersecurity standards for connected devices and mandate ongoing updates throughout their lifespan.

However, the legislation is causing concern among open source industry bodies, writing in an open letter that the draft act will have a “chilling effect” on software development. If passed, the body argues, more than 70% of the software in Europe will be regulated without an in-depth consultation.

Moving forward, EU regulators must strike the right balance to enhance cybersecurity and avoid negative impacts on the open-source community. Let’s explore how.

What is the Cyber Resilience Act?

Regulators are trying to do the right thing with this act. Connected devices and sensors are evermore integrated into key industries with sensitive data. And yet most vendors don’t adhere to minimum cybersecurity standards. Cheap devices are a dime a dozen and regularly bring bad actors into home and work networks. From default passwords to unsupported software, there are significant weaknesses that the act attempts to mitigate in IoT.

The upcoming act looks to rectify this with mandatory cybersecurity measures for “products with digital elements” in Europe. Broadly, the regulation strives to enhance digital product security, establish a comprehensive framework for hardware and software producers, promote security transparency and ensure secure products for customers. Moreover, by prohibiting the sale of products with known vulnerabilities, regulators want to reduce attack surfaces across the continent. 

Unveiled in September 2022, the act remains up for debate. If approved, hardware and software creators must conduct regular vulnerability tests, while European member states ensure compliance through market surveillance bodies. And, for those who don’t comply, hefty fines apply of up to €15m or 2.5% of global turnover.

Why the Open-Source Community is Nervous

While some praise the act for its thoroughness, others worry it goes too far. The open-source community is firmly in the latter camp. In April 2023, the European Commission received the community’s letter signed by open-source juggernauts like the Eclipse Foundation, Linux Foundation Europe, OpenForum Europe and 10 other industry bodies. In it, the groups claim they have not been adequately consulted. And as a result, the wording is too broad.

Currently, the act attempts to placate these concerns by noting that “free and open-source software developed or supplied outside the course of a commercial activity” will not face restrictions. The issue, however, is that open source is not this homogenous. Developers actively create and maintain open-source projects across diverse domains, encompassing government, non-profit, corporate, community, academic and independent contexts. It’s therefore difficult to create blanket judgment calls on what constitutes a “commercial activity.” In reality, the lines are far more blurred.

Meanwhile, the community believes some elements of the draft act are impossible to achieve. GitHub submitted to the parliament: “Annex I requires delivery ‘without any known exploitable vulnerabilities,’ but this risks an unobtainable objective, as manufacturers regularly learn of new vulnerabilities and make risk-based assessments on the need to prioritize fixes for timely delivery of product updates.”

Passed in its current form, the open-source community believes the act will significantly hamper its ability to innovate. In Europe, this chilling effect threatens more than €100bn in economic impact. For this reason, the group states that the legislation poses “an unnecessary economic and technological risk to the European Union.”

Regulators and Developers Must Come to the Table

The good news is that developers are willing to work with regulators in fine-tuning the act. And why not get them involved? They know the industry, count deep insights into prevailing processes and fully grasp the intricacies of open source. Additionally, open source is too lucrative and important to ignore.

One suggestion is to clarify the wording. For example, replace “commercial activity” with “paid or monetized product.” This will go some way to narrowing the act’s scope and ensuring that open-source projects are not unnecessarily targeted. Another is differentiating between market-ready software products and stand-alone components, ensuring that requirements and obligations are appropriately tailored.

Meanwhile, regulators can provide funding in the legislation to actively support open source. For example, Germany grants resources to support developers in maintaining open-source software projects of strategic importance. A similar sovereign tech fund could prove instrumental in supporting and protecting the industry across the continent.

Now it’s up to regulators to answer the call. The European Union should be encouraged that developers want action on cybersecurity standards. At the same time, though, they want to ensure it doesn’t unintentionally impede their work. Ideally, both sides can engage in good faith and clarify the areas of concern. With robust debate and appropriate concessions, a more secure connected device ecosystem awaits.

What’s hot on Infosecurity Magazine?