Seven leading open source foundations have announced a collaboration to establish unified specifications and standards in response to the European Union’s recently adopted Cyber Resilience Act (CRA).
This regulation, set to be implemented in 2027, aims to bolster cybersecurity across the EU by mandating up-to-date security practices for hardware and software products. The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation are joining forces to align their efforts with the new legal framework, emphasizing the enhancement of the software supply chain’s security.
Uniting for a Secure Digital Europe
Open-source software, which constitutes between 70% and 90% of modern software components, is often developed by volunteers.
These contributions, made in personal capacities, have raised concerns regarding the CRA’s initial draft, which was introduced almost two years ago. Critics, including more than a dozen open-source industry organizations, feared the legislation could impose undue liability on open-source developers for security vulnerabilities, potentially hindering innovation and deterring participation in open-source projects.
Similar worries were seen with the EU AI Act, prompting calls for revisions to ensure that volunteer developers were not unjustly penalized.
Addressing Community’s Concerns
Following feedback, changes were made to the CRA to make it clear that open-source projects are not aimed at commercial exploitation, though questions remained about the interpretation of “commercial activity.” The adjustments sought to address the open-source community’s concerns, ensuring that the regulation’s language did not inadvertently hinder the development of open-source software.
Even though the CRA has been approved, it won’t start to apply until 2027. This gives those involved in open-source projects time to prepare and adapt. This preparation time is especially important for open-source organizations, which often face challenges like having incomplete or inconsistent documentation. This lack of detailed records can make it tricky to follow the CRA’s requirements and develop proper processes to comply.
Despite these challenges, many open-source groups already follow good security practices, such as coordinated vulnerability disclosure and peer review, but inconsistencies in methodologies and terminology across different entities persist.
Standardizing Open Source Security Practices
The collaborative effort led by these seven foundations aims to standardize open-source software development practices, promoting a cohesive approach to security and compliance with the CRA. By pooling resources and harmonizing their security standards, these organizations hope to address both the specific demands of the CRA and broader challenges posed by other pending legislation, such as the Securing Open Source Software Act in the U.S.
Spearheaded by the Eclipse Foundation, which boasts a diverse portfolio of open-source projects and prominent members like Huawei, IBM, Microsoft, Red Hat, and Oracle, this coalition aims to establish a precedent for collaborative compliance and innovation.
As the CRA’s implementation date approaches, the open-source community’s unified response reflects a commitment to securing the digital infrastructure upon which the modern world increasingly relies, ensuring that open-source software remains a vibrant and secure foundation for technological advancement.
Related News:
Featured Image courtesy of freepik