No cyber resilience without open source sustainability

Together with the open source software community, GitHub has beenworking to supportEU policymakers to craft the Cyber Resilience Act (CRA). The CRA seeks to improve the cybersecurity of digital products (including the 96 percent that contain open source) in the EU by imposing strict requirements for vendors supplying products in the single market, backed by fines of up to 15 million or 2.5% of global revenue. This goal is welcome: security is too often an afterthought when shipping a product. But as written it threatens open source without bolstering resilience.

Even though the CRA, as part of a long-standing line of EU open' strategy, has an exemption for open source software developed or supplied outside the course of a commercial activity, challenges in defining the scopehave beenthe focusof considerablecommunity activity. Three serious problems remain with the Parliament text set for the industry (ITRE') committee vote on July 19. These three problems are set out below. Absent dissent, this may become the final position without further deliberation or a full Parliament plenary vote. We encourage you toshare your thoughts with your elected officials today.

The three problems are substantial for open source projects. First, if an open source project receives donations and/or has corporate developers working on it, it would be regulated by the CRA and thus face a huge amount of new administrative rules and regulations to follow that would no doubt be far too big a burden for especially smaller projects or individual developers. On top of that, the CRA, as it currently stands, also intends to mess with the disclosure process for vulnerabilities in a way that doesn't seem to actually help.

These three problems are big, and could have far-reaching consequences for open source.