Together with the open source software community, GitHub has been working to support EU policymakers to craft the Cyber Resilience Act (CRA). The CRA seeks to improve the cybersecurity of digital products (including the 96 percent that contain open source) in the EU by imposing strict requirements for vendors supplying products in the single market, backed by fines of up to €15 million or 2.5% of global revenue. This goal is welcome: security is too often an afterthought when shipping a product. But as written it threatens open source without bolstering resilience.
Even though the CRA, as part of a long-standing line of EU ‘open’ strategy, has an exemption for open source software developed or supplied outside the course of a commercial activity, challenges in defining the scope have been the focus of considerable community activity. Three serious problems remain with the Parliament text set for the industry (‘ITRE’) committee vote on July 19. These three problems are set out below. Absent dissent, this may become the final position without further deliberation or a full Parliament plenary vote. We encourage you to share your thoughts with your elected officials today.
The three problems are substantial for open source projects. First, if an open source project receives donations and/or has corporate developers working on it, it would be regulated by the CRA and thus face a huge amount of new administrative rules and regulations to follow that would no doubt be far too big a burden for especially smaller projects or individual developers. On top of that, the CRA, as it currently stands, also intends to mess with the disclosure process for vulnerabilities in a way that doesn’t seem to actually help.
These three problems are big, and could have far-reaching consequences for open source.