SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image
EU's Cyber Resilience Act conflicts with open-source definitions, says OpenUK CEO
Wed, 10th Jan 2024

European Union (EU) has published the final text of the Cyber Resilience Act (CRA), the legislation related to free and open-source software. Amanda Brock, CEO of OpenUK, has raised concerns stating that the Act fails to align with broader open-source definitions recognised within the industry.

The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.

Addressing the final text of the Cyber Resilience Act, it outlines free and open-source software as "software the source code of which is openly shared, and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source software is developed, maintained, and distributed openly, including online platforms."

Ms Brock expressed confusion over the Commission's decision to describe open-source software in this manner without offering an explanation as to why established definitions had been overlooked.

This unique description, as articulated by Ms Brock, is not in alignment with the definitions conventionally used by the EU Commission itself. She further argued that the final draft of the Act can still be modified during the review by 'lawyer linguists'. She suggested that open-source communities should leverage this opportunity as a final attempt to persuade the Commission to revisit and incorporate the established definitions.

Further, the new requirement of the Act introduces an additional measure in the development of code to categorise it as open-source, a protocol that Ms Brock believes could result in unnecessary confusion and friction within the tech sector. According to her, both free and open-source software, historically, has never been required to adhere to open development and is frequently open-sourced at later stages following private development.

The inherent implications of the Act's definition, as per Ms Brock, may not be limited to the curtails of the CRA and could potentially impact open source software across AI and product liability regulations. In her understanding, the Commission might be attempting to limit the software being classified as 'open-source' under the Act or possibly lack proper understanding of the open-source framework.

When it comes to AI and product liability regulations, it becomes even more critical to understand the Commission's motives behind such a unique approach to open source.

Ms Brock underlined the urgency for promised guidance on these regulations as it applies to free and open-source software, which are expected to be accompanied by over 40 standards. She affirmed the importance and need for immediate guidance and, in her words, said, "As it stands, the guidance can't come too soon." These issues will be discussed along with other topics at OpenUK's forthcoming State of Open Con event.