back to article EU lawmakers finalize cyber security rules that panicked open source devs

The European Union’s Parliament and Council have reached an agreement on the Cyber Resilience Act (CRA), setting the long-awaited security regulation on a path to final approval and adoption, along with new rules exempting open source software. The CRA was proposed by the European Commission in September 2022 and imposes …

  1. Bebu Silver badge
    Windows

    Seems the CRA could benefit open source maintainers.

    If the basic principle were that if you are making more than mouse money from a software product or service you must comply with these rules or incur the penalties. If you use open source software in any product covered by this directive then the onus is on you (and not the maintainer) to meet the specified timelines etc. So you either in-house everything (and hire more coders etc) or throw some money at the open source projects. A win-win from my perspective.

    I suspect that the possibility of non-EU vendors deciding not to continue to supply their products to EU states has crossed the minds of those behind this proposed legislation but I am sure that prospect hasn't resulted in any sleepless nights. ;)

    1. Doctor Syntax Silver badge

      Re: Seems the CRA could benefit open source maintainers.

      "I suspect that the possibility of non-EU vendors deciding not to continue to supply their products to EU states has crossed the minds of those behind this proposed legislation"

      It would leave space for an EU industry to take up. On the other hand I doubt any of the usual suspects will be deterred.

      1. Krooty

        Re: Seems the CRA could benefit open source maintainers.

        The problem is that this will massively encumber smaller operators in comparison to bigger players. So, maybe outside firms pull back. The likely result is that only closed source dev work will grow, and we'll see stakeholders have even less control over their software.

        I see two reasons for this: 1) Open Source is more transparent, so the risk of being found to not be in-compliance is greater, especially because the mealy-mouthed vagueness of both "free and open source" and "commercial activity" seem to not understand that the two are not mutually exclusive. 2) If a company contracts someone to write a piece of software for them, that person might be on the hook for five years of support. This means given them the source code for their commissioned software can expose the dev to unreasonable and burdensome costs.

        Now, maybe squirreled in the 35,000+ words of the act are carve outs. But it still interacts in complex ways with other legislation, and I doubt the majority of contract devs in Europe have the skill or confidence to parse their liabilities.

    2. Kurgan Silver badge

      Re: Seems the CRA could benefit open source maintainers. (no, actually no)

      So this law will make commercial software more secure (we hope) and far more expensive (to cover for the cost of abiding to this law). And maybe it will not change anything for open source software (unless it will hit it badly anyway because of a lot of grey areas and dubious meanings).

      Then someone will just say "see, commercial software has to meet higher standards, while open source is rubbish, security-wise" and the next "best practices" (or even the next law) will REQUIRE businesses to use only commercial software because of its higher security standards. So if you are to be compliant with newer rules for software USERS, and not for software authors, you'll HAVE TO USE COMMERCIAL SOFTWARE.

      At this point open source will become irrelevant and commercial software will double its cost, since you will not be able to avoid using it for anything that's business related.

      The whole issue here is that Europe is good at making laws that require easily reachable subjects to bear the burden of infosec, while hardly reachable subjects (the cyber crooks) will NEVER BE PUNISHED. Basically we are punishing the victims.

  2. m4r35n357 Silver badge

    Licences?

    Are they going to allow companies to hide behind shitty new "custom" licences, or will it be restricted to GPL/BSD compatible stuff?

  3. ChoHag Silver badge
    Coat

    Zeroed-In Technologies

    ZIT popped?

  4. BinkyTheMagicPaperclip Silver badge

    Will it be largely useless, like GDPR?

    The idea is great, just like GDPR was. The reality is it annoys everyone and there's no punishment for companies that flout the rules.

    It *should* mean that all phones will have to last for five years. Be interesting to see manufacturers squeal.

    Without enforcement, the laws are largely useless, but it's a useful step in the right direction.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will it be largely useless, like GDPR?

      H&M were fined 35 million Euros by Germany for illegally monitoring their employees

      1. BinkyTheMagicPaperclip Silver badge

        Re: Will it be largely useless, like GDPR?

        I'm sure there are specific, high profile, politically sensitive examples where 'the rules work'.

        I'm more interested in the general experience, and well, outside of the high profile examples : there is a lack of interest. So, smaller companies who flout the rules will carry on as they know the chance of enforcement is low.

        It'll have some effect, and get people thinking, just like GDPR did. But largely it will be the companies that care and would have actioned this even without legislation that will comply.

        1. t245t Silver badge
          Boffin

          Re: Will it be largely useless, like GDPR?

          > I'm sure there are specific, high profile, politically sensitive examples where 'the rules work'.

          Back in the day, there was something called ‘Work to Rule’. Something invoked by a Union when in dispute with management. Which meant actually invoking the rules. Which invariably caused the business to screech to a crawl. Which will probably mean the CRA will be mostly ignored.

        2. John Brown (no body) Silver badge

          Re: Will it be largely useless, like GDPR?

          "I'm more interested in the general experience, and well, outside of the high profile examples : there is a lack of interest. So, smaller companies who flout the rules will carry on as they know the chance of enforcement is low."

          That's a good question. I suspect there probably are many smaller, low profile cases that don't make the news. One of the regular complaints on these very pages, as well as elsewhere, is how law enforcement don't go after the high profile case but prefer the "low hanging fruit". Partly because it's cheap and easy to pad out the results and partly to establish some case law where it's unlikely to be a very long and drawn out case with multiple appeals from multinationals with expensive legal teams.

          1. Anonymous Coward
            Anonymous Coward

            Re: Will it be largely useless, like GDPR?

            A non low hanging fruit?

            https://www.theregister.com/2023/12/05/spanish_media_meta_lawsuit/

  5. Doctor Syntax Silver badge

    "In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation,"

    As I recall the original objections the issue turned on the definition of "commercial" which threatened to catch a developer if, for instance, they were paid to give a talk somewhere. This needs to have been fixed.

    1. Daniel Pfeiffer

      "should not" – what does that even mean?

      Like, I mean, um, if anybody cares to prevent it… We might not go after them, but who knows.

  6. Gene Cash Silver badge

    Dollar Tree and Family Dollar?

    Jeez, that's like trying to rob the homeless guy with a sign on the streetcorner. There's not much to gain there. Neither customers nor employees will have much to steal.

    "You're going to steal my identity? Sure, here's my underwater mortgage and the car payments I'm 3 months behind on..."

  7. Anonymous Coward
    Anonymous Coward

    So, they're just going to kill commercial open source devs?

    "outside the course of a commercial activity"

    That's a pretty problematic caveat right there.

    Does that put Lenovo on the hook for security vulnerabilities in Fedora? After all, they will sell you a laptop with it pre-loaded.

    What about Rocky or Alma, who don't sell the OS, but sell support for it? Are they on the hook for security vulnerabilities in the Kernel, even though they don't actually sell OS?

    Or the likes of HPE - whose HPE Cray OS is based on Linux? Are they on the hook, given that the supercomputers they build are shipped with their custom in-house Linux spin integrated into it?

    What are the implications for AMD and their move to open firmware?

    It still feels like the legislation is blind to the complexities of the Open Source model, and doesn't realize that something can be both FOSS, and deeply tied into commercial activity.

    Once again, the EU has permitted - as most governments do, though the EU seems especially gifted at it - a cabal of people illiterate in the space in which they are legislating to draft a nice legal document which fails in critical ways to actually conform to the reality of the world they are trying to legislate. And, because it is a fundamentally unaccountable and a-democratic institution, the fallout for the 400-odd million people who have to live with it will be largely unaddressed. Yet another layer of byzantine regulation which will encumber anyone who tries to follow it, will likely curtail or kill small businesses and innovators, and will be ignored and skirted by anyone who can afford the lawyers and lobbyists to do so.

    1. Daniel Pfeiffer

      Re: So, they're just going to kill commercial open source devs?

      These companies have a choice of expensively cooking their own and supporting it or only supporting open source (with community help.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like