The European Cyber Resilience Act (CRA) is intended to oblige manufacturers and suppliers of products with digital components to higher security standards for their products. While the Open Source Business Alliance (OSBA) endorses the goals of the CRA, it warns that the draft is primarily aimed at proprietary software. The special development and sales models of open source are currently only insufficiently considered. For example, manufacturers of open source software have no influence on the form in which third parties download and distribute their software.
The CRA provides exceptions for open source. However, the OSBA criticizes that these exceptions are limited to non-commercial activities. However, there is a gray area here: open source is often the result of cooperation between companies with a commercial interest and volunteers with no commercial interest. A clear distinction between commercial and non-commercial is therefore not easy. Under the current draft, many non-commercial open source projects would also fall under the CRA, which would not have the resources to meet its requirements.
Is the CRA destroying the open source ecosystem?
The OSBA fears that because of this, open source maintainers and entire projects could give up or withdraw from Europe. The current draft of the Cyber Resilience Act ultimately endangers the open source ecosystem in Europe, which is so important for software development and digital sovereignty. The OSB Alliance – Federal Association for Digital Sovereignty eV has therefore published a statement in which the association makes suggestions for formulations that are intended to eliminate the current uncertainties.
The OSBA is calling on the federal government to ensure that the open source ecosystem and Germany’s digital sovereignty are adequately protected in the CRA in the trilogue negotiations between the EU Commission, Council and Parliament, which are expected to start in September. In addition, the CRA should not hold the creator of open source software responsible, but rather the “distributor” or service provider, if money is required for this.
Go to home page
#Cyber #Resilience #Act #OSB #Alliance #warns #threats #open #source