In today’s world, cybersecurity threats have become a significant concern for both society and governments. In response, the European Commission has proposed the Cyber Resilience Act (CRA) to protect consumers from cybercrime by incorporating security during product design. While this legislation may seem noble, it has raised concerns about its potential threat to open-source software development, which could have global implications if adopted by the European Parliament.
During a recent podcast, Mike Milinkovich from the Eclipse Foundation discussed the potential implications of the CRA on open-source software development. At the heart of the issue is the need for organizations to self-certify their compliance with the act. This poses a challenge for open source projects, typically maintained by a small group of contributors, making it difficult to ensure compliance with the act.
The concern is that, under the proposed law, individual contributors to open-source projects could be held liable for cybersecurity breaches resulting from their contributions. For example, if a vulnerability is found in a large open-source program that incorporates an individual’s code, the individual could be held responsible for any resulting data breaches. This could have a chilling effect on open-source contributions and potentially lead to fewer developers sharing their code.
While it’s true that hobbyists are likely to be exempt from liability under the CRA, this is unlikely to be sufficient to address concerns around major open-source projects such as Apache, Linux, and others. These projects are often created by paid developers working as part of a foundation or sponsor organization, and their contributions are crucial to the continued innovation of open-source software.
The EU has stated that it does not want to harm open source development, and there is still time for the CRA to be revised to address concerns around liability. Similar efforts are underway in other countries, highlighting the importance of balancing protecting consumers from cybersecurity threats and fostering innovation in open-source software development.
