The European Parliament Industry, Research and Energy Committee (ITRE) approved its report on the Cyber Resilience Act (CRA). It also voted for a fast track process. (updated 1) The CRA is meant to strengthen software security.
Prior to the vote, many individuals and free and open source software organisations were very critical: EFF, FossForce, Bert Hubert 1, Bert Hubert 2, Team NLnet Labs, Apache Software Foundation, Opensource org, GitHub, CNLL, Vrijschrift, major industry associations, overview.
After the vote, organisations are just as critical. FossForce: Bad News for Open Source: EU Committee Approves the Cyber Resilience Act
“I’m discouraged that the proposed legislation has made it this far, and concerned that industry response so far is not robust enough to counter what is likely to be very damaging if it is enacted,” Joe Brockmeier, head of community at Percona said in a statement after the approval was announced.
The German automotive industry is worried about the impact of the legislative proposal. Joomla is. Inter-CMS Working Group:
However, in their current form, the proposed regulations run the risk of reducing software security, as well as undermining the EU’s core aims and values, as we explain below.
I haven’t been involved with the CRA earlier, and others are more knowledgeable regarding this proposal. In this blog I will limit myself to
(i) argue that the ITRE text violates the EU Joint practical guide by putting safeguards in the recitals where they may be completely ineffective and as a result creates legal uncertainty which may be very damaging for the software industry, especially the free and open source software community;
(ii) conclude that fixing the text is of strategic importance; and
(iii) suggest an approach – a shared set of high quality amendments with broad support could make the open source community’s case more compelling.