SECURITY
EU passes Cyber Resilience Act
EU states have agreed to draft legislation, despite opposition from the Linux Foundation and others. Is this the end of open source in Europe?
The Cyber Resilience Act was proposed in September 2022 and mostly seems to target interconnected equipment such as IoT devices. In theory, it ensures minimum standards for connected devices as well as requiring mandatory security updates. As well meaning as the legislation is, the impact on open source development could be devastating. In April, more than a dozen open source industry bodies, including the Linux Foundation Europe, wrote an open letter to EU legislators asking them to reconsider the current wording (https://newsroom.eclipse.org/ news/announcements/open-letter-europeancommission-cyber-resilience-act).
In theory, the Act exempts “free and open source software developed or supplied outside the course of a commercial activity”.
In practice, many open source projects would be considered commercial if any contributors were paid for their work. This would encompass most major versions of Linux, as well as popular open source apps such as LibreOffice.
Some aspects of the Act would also be almost impossible to guarantee. In January, GitHub pointed out that Annex I, for instance, would require software to be delivered “without any known exploitable vulnerabilities”. The company points out that vulnerabilities exist on a “continuum of risk” and new ones are being discovered all the time.
The open letter
