The European Parliament’s adoption of the Cyber Resilience Act (CRA) has sparked a collaborative effort among seven open source foundations. The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation are joining forces to develop common specifications and standards for the CRA.
Componentry: The Heart of Open Source Development
It’s estimated that between 70% and 90% of software today comprises open source components. These components are developed by programmers in their own time, often without any financial compensation. The Cyber Resilience Act aims to regulate cybersecurity practices for both hardware and software products sold within the European Union.
The Legislation’s Impact
The CRA introduces penalties for non-compliance, including fines of up to €15 million or 2.5% of global turnover. This has raised concerns among open source developers about liability for security defects in downstream products. However, the revised legislation offers some protections by clarifying exclusions for open source projects and introducing the concept of "open source stewards."
Open Source Stewards: A New Role
The Eclipse Foundation’s executive director, Mike Milinkovich, expressed his satisfaction with the outcome, stating that the process worked, and the open source community was listened to. The CRA recognizes "open source software stewards" as economic actors within the software supply chain. This marks a significant shift in acknowledging the role of foundations and community stewards.
Documentation: A Key Challenge
Open source projects often lack comprehensive documentation, making it difficult for downstream manufacturers and developers to support audits and implement CRA processes. Existing best practices standards, such as those developed by the Eclipse Foundation, require alignment and more comprehensive documentation to address the challenges introduced by legislation.
The Collaboration’s Goal
The seven open source foundations aim to develop common specifications and standards for the CRA. This collaboration will be spearheaded in Brussels by the Eclipse Foundation, which hosts hundreds of individual open source projects spanning developer tools, frameworks, specifications, and more.
Topics: Cyber Resilience Act, Open Source, Security
The intersection of cybersecurity and open source development has never been more pressing. As the tech industry grapples with the implications of the CRA, it’s clear that collaboration is essential for developing effective solutions.
About the Author
Paul Sawers is a senior writer based in London, covering UK and European startups, as well as other subjects he’s passionate about, including open source software. Prior to joining TechCrunch, Paul gained over a decade of experience covering consumer and enterprise technologies for The Next Web (now owned by the Financial Times) and VentureBeat.
Subscribe
Stay up-to-date with the latest news on the Cyber Resilience Act, open source development, and cybersecurity by subscribing to our newsletters: