Tech | Visa | Scholarship/School | Info Place

Open source foundations join forces to develop common standards for EU Cybersecurity Resilience Act

Seven open source foundations are joining forces to develop common norms and standards for the European Cyber ​​Resilience Act (CRA) passed by the European Parliament last month.

The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation have revealed their intention to pool their collective resources and join the current community of open source software development. There is a point between security best practices and ensuring that when the new legislation comes into effect in three years, the much-maligned software supply chain will be up to the task.


It is estimated that 70 to 90 percent of today’s software is composed of open source components, many of which are developed for free by programmers using their own time and money.

The Cyber ​​Resilience Bill, first published in draft form nearly two years ago, aims to establish best cybersecurity practices for hardware and software products sold in the EU. It is designed to force all manufacturers of any internet-connected product to keep up to date with all the latest patches and security updates, and to impose penalties for defects.

Penalties for these violations include fines of up to €15 million, or 2.5% of global turnover.

The legislation in its initial form drew fierce criticism from numerous third parties, including more than a dozen open source industry bodies, who wrote an open letter last year saying the bill could have a “chilling effect” on software development. The crux of the complaint centers on how “upstream” open source developers can be held liable for security flaws in downstream products, thereby preventing volunteer project maintainers from abandoning work on critical components for fear of legal retaliation (similar to widespread concerns surrounding open source projects). The EU Artificial Intelligence Act was approved last month).

The language in the CRA regulations does provide some protection to the open source space, as long as developers who don’t care about the commercialization of their work are technically exempt. However, the language is open to interpretation as to what exactly falls under the “commercial activities” banner—for example, do sponsorships, grants, and other forms of financial assistance count?

Eventually some changes were made to the text, and the revised legislation substantively addressed concerns by clarifying the exclusions for open source projects.

Although the new regulations have been approved, they will not take effect until 2027, giving all parties time to meet the requirements and iron out some of the expected details. That’s what seven open source foundations are now coming together to do.


The way many open source projects have evolved means that their documentation is often incomplete (if at all), making it difficult to support audits and for downstream manufacturers and developers to develop their own CRA processes.

Many of the better-resourced open source initiatives already have best practice standards in place regarding things like coordinated vulnerability disclosures and peer reviews, but each entity may use different approaches and terminology. By being integrated together, this should go some way toward treating open source software development as a single “thing” governed by the same standards and processes.

Coupled with other proposed regulations, including the Protecting Open Source Software Act in the United States, it’s clear that various foundations and “open source stewards” will come under greater scrutiny for their role in the software supply chain.

“While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack consistency and comprehensive documentation,” the Eclipse Foundation wrote in a blog post today. “The open source community and the broader software industry now face a common challenge: legislation urgently requiring cybersecurity process standards.

The new collaboration, initially made up of seven foundations, will be led by the Eclipse Foundation in Brussels, home to hundreds of independent open source projects covering developer tools, frameworks, specifications and more. The foundation’s members include Huawei, IBM, Microsoft, Red Hat and Oracle.

#Open #source #foundations #join #forces #develop #common #standards #Cybersecurity #Resilience #Act

Leave a Reply

Your email address will not be published. Required fields are marked *

Table of Contents