read the CRA

[chadwhitacre]

Reticketed from https://github.com/chadwhitacre/openpath/issues/39. This is a BFD.

The Cyber Resilience Act (CRA) is a piece of European Union legislation that regulates software as a product. Toys and electronics and appliances and such must meet certain safety standards and carry the CE mark to be sold in Europe. The CRA is on its way to enter into force in 2027, at which point "products with digital elements" (i.e., software) will likewise need to meet certain safety (i.e., security) standards and carry the CE mark.

The Product Liability Directive (PLD) is a related document that is also getting an update to make it clear that software manufacturers are on the hook for bugs in their code, even far downstream.

This ticket includes a reading list and my first attempts to take on board some of the implications of this legislation.

[chadwhitacre]

Compliance vendors are already emerging.

https://www.i46.cz/ https://www.i46.cz/2024/01/18/the-cyber-resilience-act-bringing-all-developers-including-open-source-under-its-umbrella/

[chadwhitacre]

Reading List

Primary

• Europe’s Digital Decade: digital targets for 2030
• Cyber Resilience Act (PDF; HTML)
• EU Cyber Resilience Act unhelpful top-level page
• original 2022 blog with links to outdated drafts

Secondary

• Wikipedia
• Linux Foundation

Commentary

• [x] 2023-01-15 – European Cyber Resilience Act: Potential Impact on the Eclipse Foundation, Eclipse
• [x] 2023-01-30 – The ultimate list of reactions to the Cyber Resilience Act, OSI/Webmink
• [x] 2023-03-14 – The comprehension error behind the CRA issue, Webmink
• [x] 2023-04-11 – The EU's Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem, PSF (HN, Reddit)
• [x] 2023-04-17 – Open Letter to the European Commission on the Cyber Resilience Act, Eclipse
• [x] 2023-09-08 – Understanding the Cyber Resilience Act, Linux Foundation
• [x] 2023-09-12 – Will the Cyber Resilience Act help the European ICT sector compete?, Linux Foundation
• [x] 2023-09-19 – The European Cyber Resilience Act, LWN
• [x] 2023-10-13 – Can open source be saved from the EU's Cyber Resilience Act?, sjvn in The Register (Reddit)
• [x] 2023-10-25 – EU Cyber ​​Resilience Act would harm open source software and competitiveness, EDRi
• [x] 2023-10-30 – EU policymakers’ advance on open source software, support period in new cybersecurity law, Euractiv
• [x] 2023-11-20 – The Cyber Resiliency Act and Open Source Concerns, SparkFabrik
• [x] 2023-11-27 – Presentation of the Cyber Resilience Act, OpenForum Europe 📺
• [x] 2023-12-04 – EU Cyber Resilience Act Takes a Leap Forward
• [x] 2023-12-19 – Good News on the Cyber Resilience Act, Eclipse
• [x] 2023-12-27 – Statement about the EU Cyber Resilience Act, Debian
• [x] 2023-12-30 – EU CRA: What does it mean for open source?, bert hubert (HN)
• [x] 2024-01-12 – EU’s Cyber Resilience Act Passes with Wins for Open Source
• [x] 2024-01-15 – EU amendment changes open source definition, ComputerWeekly
• [x] 2024-01-15 – Open source wins concessions in new EU cyber law, Developer
• [x] 2024-02-02 – Meet the OSS Stewards - Foundations’ New Role, OpenForum Europe 📺
• [x] 2024-02-02 – The European regulators listened to the Open Source communities!, OSI blog
• [x] 2024-02-03 – The Regulators Are Coming: One Year On, FOSDEM panel
• [x] 2024-02-04 – CRA: 40 new ways the CRA can accidentally harm open source, FOSDEM
• [x] 2024-02-07 – What I learned in Brussels: the Cyber Resilience Act, NLnet Labs
• [x] 2024-02-19 – Europe’s Cyber Resilience Act: Redefining open source, SecurityIntelligence
• [x] 2024-04-02 – The Open Source Community is Building Cybersecurity Processes for CRA Compliance, Eclipse
• [x] 2024-04-10 – Securing Open Source Software, the Cyber Resilience Act Way, sjvn in DevOps

[chadwhitacre]

I made this ticket while watching "EU Open Source Policy Summit 2024 Panel: Meet the OSS Stewards - Foundations’ New Role," which kinda blew my mind tbh. I've had CRA on the edge of my radar, but ... this is big.

The software industry from now on is, essentially, regulated, and that is a massive, massive change.

(src)

These transitions [from Developer, to Steward, to Manufacturer], in the future we will need to make very explicitly, and clearly announce them in a certain way, so that it's clear which role you play at a certain time.

(src)

A few more notes from a first pass through this video:

• CRA regulates software in the European market, products with "digital elements."
• The text is complete, and goes into effect in 2027.
• CRA defines three kinds of entity: Manufacturer, Steward, and Individual Developer.
  • Manufacturers are companies. These already have some level of process in place already (SOC 2, etc.), though MDD/MDR is cited as similar to CRA and also adding 30% to software costs in the medical field, so I'm not sure what the impact is expected to be on Manufacturers.
  • Stewards are Open Source foundations. For large projects they have some processes in place. What about small projects? What about registries?
  • Developers are individuals.
• CRA specifies 44 obligations, for each of which a standard will be developed prior to enforcement. A standard is a default checklist procedure, following which is agreed to meet the obligation. "The raw way to comply with the CRA is read it yourself and make a procedure. The standard should be an easier way. It should be more detailed, more practical."
• CRA requires Manufacturers to produce an SBOM on demand and perform due diligence on their supply chain, which impacts Stewards and Open Source usage.

The CRA will have some effect on Manufacturers but I don't care so much about that. What effect will it have on OSS foundations and indie devs? It seems like it will be really significant.

[mswilson]

Here's a link to the adopted text: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html

The drafts in https://github.com/chadwhitacre/openpath/issues/40#issue-2238422830 are outdated.

[chadwhitacre]

The Eclipse news was put on my radar right before it broke, during a call with a director of one of the foundations involved.

LF is conspicuously absent from this latest, though they were on the original open letter. Looks like they have their own effort, ... aaaaand, "It will unfortunately require a little bit of centralization from us." 😒 🤨 🧐

[chadwhitacre]

@mswilson Why is that link so hard to find from either their main page or Wikipedia? 😭 Where did you get it from?

[chadwhitacre]

En route from Lulu. 👍

[ShaneCurcuru]

The CRA is only one part of the legislative framework; the revised Product Liability Directive (PLD) may also end up defining some of the specific factors around what's a "product" that would need to meet higher standards. Current PLD draft text excludes "Free and open-source software...", but it's not clear in practice how that will actually be interpreted.

PLD is definitely not an easy thing to research, but here's one overview that explains the concept: https://www.taylorwessing.com/en/insights-and-events/insights/2024/03/software-als-produkt

Essentially, the EU thinks products should be fit for purpose, or otherwise the producer could be liable. The revised PLD will essentially treat software as a product, with liability more like a car than like what software engineers expect. 😿

[chadwhitacre]

Point made here is that if manufacturers are responsible for due diligence, that puts backpressure on upstream OSS to conform even if not directly named.

---

A couple places where tension between formal foundation and informal community comes up:

• https://www.youtube.com/watch?v=jvKvsP6OGKw#t=13m30s (LF)
• https://www.youtube.com/watch?v=jvKvsP6OGKw#t=17m47s (PSF)

[mswilson]

@mswilson Why is that link so hard to find from either their main page or Wikipedia? 😭 Where did you get it from?

I have no idea why it's so hard. It took quite me a while to find. I happened to know a unique phrase that was added in the adopted text, and Google found it.

[chadwhitacre]

PLD is definitely not an easy thing to research

I found a helpful lightning talk from the FOSDEM policy track.

[chadwhitacre]

Also (from here):

Omar Enaji's (European Commission) introduction to the PLD during the "The Regulators Are Coming: One Year On" (starting at 25min20s) at FOSDEM's main stage

[chadwhitacre]

(twitter)

[pombredanne]

@chadwhitacre too bad you kept it to yourself! https://www.lulu.com/search?sortBy=RELEVANCE&page=1&q=cyber+resilience+act

[chadwhitacre]

@pombredanne Hah! 😁 It's a little more complicated to publish to Lulu vs. printing for oneself. I did try to determine copyright information for the document. It should be public domain, right? In the end I decided not to bother. It's easy enough to upload the PDF and print it, and if someone else wants to publish it on the Lulu bookstore, I'm certainly not going to get in their way. 😉

[chadwhitacre]

Regarding the roles defined with the CRA—manufacturer, steward, individual—I found this comment from Mirko insightful:

The first question is, which of the roles are you? Make sure you know, and then act at least according to what we know today. This leads to a couple of really interesting questions, because our projects grow very dynamically. An individual developer has a great idea, starts to work on something on the weekend. It has legs. It starts to grow. Three people start pitching in, they start making regular releases. At what point does this group now become a steward? Also, they start selling, maybe, support contracts. They will become a business. These transitions from, "I'm a hobbyist, I contribute to somebody else's project," to, "I become maybe a small community, maybe I put that community under the umbrella of a foundation," or, "I will start a business"—these transitions, in the future, we will need to make very explicitly, and clearly announce them, in a way, so that it's clear which role you play at a certain time.