We finally have a deal on the Cyber Resilience Act.
It is a EU regulation thought up to make internet-connected products safer. With other words, it tackles the IT security and software maintenance of your smart toaster and AI-powered fridge. The tool originally chosen is to create obligations to manufacturers and/or vendors. We were involved in these negotiations because the newly proposed obligations could have seriously messed up the free & open software ecosystem.
Perhaps not intended, but the initial proposal and some of the interim versions didn’t clearly protect free software and would have risked that individual, volunteer contributors of code to free software projects are liable and have to comply with the same stringent obligations as large companies.
What was adopted?
The final version of the agreed text seems to take care of most free and open source pain points, but remains terribly written and confusing. It packs many of the definitions in recitals (the non-active, explanatory part of the text) while also leaving a lot of the practicalities of how to comply with its obligations to future delegated acts (e.g. guidelines) to be issued by the Commission. While this certainly gives maximum flexibility, it also means that there is a lack of clarity as to what was actually adopted. It also disregards key elements of the European Commission’s own Better Regulation Guidelines.
What is carved out?
In the end the CRA will not harm free software and is unlikely to cause havoc on the open source environment, as long as it is outside a commercial activity.
Two main clarifications were added in the final stretch:
(10c) […the provision of free and open-source software products that are not monetised by their manufacturers is not considered a commercial activity.
(10c) This Regulation does not apply to natural or legal persons who contribute source code to free and open-source products that are not under their responsibility.
There are further similar carve-outs for not-for profits, for academia and micro enterprises. In fact, the exclusions go as far as to cover non-profit organisations that sell open source software on the market but reinvest all the revenues in non-for-profit activities.
Who is liable?
The CRA applies to commercial activity, as stated in the text:
“(10) This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity.”
Of course, the question is what a commercial activity is. We have a web of explanations of what it isn’t (see above). The text also tells us that requiring the processing of personal data (beyond what is strictly necessary) is considered commercial activity.
I personally would expect plenty of fringe cases and even court challenges.
What are the obligations and who will enforce them?
A key element of the proposal is for manufacturers and developers to define a support period that reflects the time the product is expected to be in use, and to provide security updates during that period.
Manufacturers would need to test the security adequacy of their products by undergoing an assessment. This can be done via self-assessment. After that they can draw up an EU declaration of conformity and will be able to affix the CE marking.
In case of non-compliance, market surveillance authorities could require operators to bring the non-compliance to an end and eliminate the risk, to prohibit or restrict the making available of a product on the market, or to order that the product is withdrawn or recalled. Each of these authorities will be able to find companies that do not adhere to the rules.
What’s next?
As mentioned, the European Commission will now start a process of drafting and adopting guidelines and standards and, hopefully, clarify many of the open questions.
Most importantly, the Commission has tasked CEN/CENELEC (European standardisation organisations recognised by the EU and EFTA) to draft secure software development standards. These will serve as the basis of the assessments or self-assessments needed to put the CE marking on your products, which in turn will be needed to put products on the EU market.
The processes are supposed to be quite participative. Expect calls for feedback and public consultation from the Commission.
Further Reading
To reiterate, this is a terribly written law with good intentions at heart. It is likely to create heaps of work for the administration, regulators, companies, open source projects and individuals while the effects aren’t obvious, at least for now. The fact that free software was carved-out and open source has plenty of safeguards is a weak conciliatory price.
If you would like to dig deeper into the actual text and open source carve-out language, I highly recommend the post EU CRA: What does it mean for open source? by Bert Hubert.