EU Lawmakers Finalize Tough Cyber Security Rules
Arthur T Knackerbracket has processed the following story:
The CRA was proposed by the European Commission in September 2022 and imposes mandatory cyber security requirements for all hardware and software products - from baby monitors to routers, as the EU Commission put it.
Once in force, which will happen 20 days after its adoption by Parliament and the Council, the CRA will require hardware and software makers to meet some intimidating targets. Included in the rule is a 24-hour disclosure period for any newly-discovered security flaw under active exploitation, five years of security patch support, thorough documentation of all security features, and more.
Manufacturers, importers and distributors will have 36 months to adopt the requirements or face fines up to 15 million or 2.5 percent of total worldwide annual turnover.
While better security is all well and good, concerns have been raised over the potential effect the CRA could have on open source software, which is often maintained by few people despite the importance it can often have to larger products. Open source maintainers may find it hard to meet short deadlines for patches, documentation and disclosure.
[...] "We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community," lead member of the European parliament (MEP) Nicola Danti explained regarding the CRA agreement. "Only together will we be able to tackle successfully the cyber security emergency that awaits us in the coming years."
Read more of this story at SoylentNews.