Open Source Foundations Unite on Common Standards for EU's Cybersecurity Resilience Act | Tech Crunch

Spread the love

Seven open source foundations are coming together to create common specifications and standards for Europe's Cyber ​​Resilience Act (CRA), a regulation approved by the European Parliament last month.

The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation have announced their intentions to pool their collective resources and join the dots between existing security best practices in open source software development. The most malicious software supply chain will have to work when the new law takes effect in three years.


It is estimated that between 70% and 90% of software today is made up of open source components, many of which are freely developed by programmers on their own time and with their own money.

The Cyber ​​Resilience Act was first unveiled in draft form nearly two years ago with the aim of codifying cybersecurity best practices for hardware and software products sold across the European Union. Designed to force all manufacturers of any Internet-connected product to be up-to-date with all the latest patches and security updates, penalties are imposed for errors.

These non-compliant penalties include fines of up to €15 million or 2.5% of global turnover.

The law prompted sharp criticism from several third-party organizations in its initial phase, including more than a dozen open source industry organizations that wrote an open letter last year saying the law could have a “chilling effect” on software development. A summary of complaints about how “upstream” open source developers are held responsible for security flaws in downstream products, thereby preventing volunteer project maintainers from working on critical components for fear of legal retribution (similar to concerns surrounding the EU AI law that was greenlit last month).

The wording of the CRA regulation provides few protections for the open source realm, technically exempt because developers are not concerned with commercializing their work. However, the language is open to interpretation precisely in relation to the “commercial activity” banner – for example, do sponsorships, grants and other forms of financial assistance count?

Some changes to the text were eventually made, and the amended law substantially addressed the concerns by clarifying the open source project exemptions.

Although the new regulation has already been rubber-stamped, it won't come into force until 2027, giving all parties time to meet the requirements and iron out some of the finer details of what is expected of them. And now seven open source foundations are coming together.


The way many open source projects evolve means they often have patchy documentation (if any) which makes it difficult to support audits, as well as for downstream manufacturers and developers to develop their own CRA processes.

Many well-resourced open source initiatives already have appropriate best practice standards, such as coordinated vulnerability disclosure and peer review, but each entity may use different methods and terminology. By coming together as one, it goes some way to making open source software development a single “thing” that adheres to the same standards and processes.

Throw into the mix other proposed regulations, including the Securing Open Source Software Act in the US, and it's clear that various foundations and “open source stewards” will be under more scrutiny for their role in the software supply chain.

“While open source communities and foundations generally adhere to and have historically adhered to industry best practices regarding security, their policies often lack alignment and comprehensive documentation,” the Eclipse Foundation wrote in a blog post today. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.

The new collaboration, while initially consisting of seven foundations, will be spearheaded in Brussels by the Eclipse Foundation, home to hundreds of individual open source projects spanning developer tools, frameworks, specifications and more. Foundation members include Huawei, IBM, Microsoft, Red Hat and Oracle.

Source link

Leave a Comment