Open source foundations unite on common standards for EU’s Cybersecurity Resilience Act


Share post:

Seven open source foundations are coming together to create common specifications and standards for Europe’s Cyber Resilience Act (CRA), regulation adopted by the European Parliament last month.

The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation  revealed their intentions to pool their collective resources and join the dots between existing security best practices in open source software development — and ensure that the much-maligned software supply chain is up to the task when the new legislation comes into force in three years.


It’s estimated that between 70% and 90% of software today is made up of open source components, many of which are developed for free by programmers in their own time and on their own dime.

The Cyber Resilience Act was first unveiled in draft form nearly two years ago, with a view toward codifying best cybersecurity practices for both hardware and software products sold across the European Union. It’s designed to force all manufacturers of any internet-connected product to stay up-to-date with all the latest patches and security updates, with penalties in place for shortcomings.

These non-compliance penalties include fines of up to €15 million, or 2.5% of global turnover.

The legislation in its initial guise prompted fierce criticism from numerous third-party bodies, including more than a dozen open-source industry bodies who last year wrote an open letter saying that the Act could have a “chilling effect” on software development. The crux of the complaints centered on how “upstream” open source developers might be held liable for security defects in downstream products, thus deterring volunteer project maintainers from working on critical components for fear of legal retribution (this is similar to concerns that abounded around the EU AI Act which was greenlighted last month).

The wording within the CRA regulation did offer some protections for the open source realm, insofar as developers not concerned with commercializing their work were technically exempt. However, the language was open to interpretation in terms of what exactly fell under the “commercial activity” banner — would sponsorships, grants, and other forms of financial assistance count, for example?

Some changes to the text were eventually made, and the revised legislation substantively addressed the concerns through clarifying open source project exclusions.

Although the new regulation has already been rubber stamped, it won’t come into force until 2027, giving all parties time to meet the requirements and iron out some of the finer details of what’s expected of them. And this is what the seven open source foundations are coming together for now.


The manner in which many open source projects evolve has meant that they often have patchy documentation (if any at all) which makes it difficult to support audits, as well as making it difficult for downstream manufacturers and developers to develop their own CRA processes.

Many of the better-resourced open source initiatives already have decent best practice standards in place, relating to things like coordinated vulnerability disclosures and peer review, but each entity might use different methodologies and terminologies. By coming together as one, this should go some way toward treating open source software development as a single “thing” bound by the same standards and processes.

Throw into the mix other proposed regulation, including the Securing Open Source Software Act in the U.S., and it’s clear that the various foundations and “open source stewards” will come under greater scrutiny for their role in the software supply chain.

“While open source communities and foundations generally adhere to and have historically established industry best practices around security, their approaches often lack alignment and comprehensive documentation,” the Eclipse Foundation wrote in a blog post today. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.

The new collaboration, while consisting of seven foundations initially, will be spearheaded in Brussels by the Eclipse Foundation, which is home to hundreds of individual open source projects spanning developer tools, frameworks, specifications, and more. Members of the foundation include Huawei, IBM, Microsoft, Red Hat and Oracle.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Alphabet X’s Bellwether harnesses AI to help predict natural disasters

The world is on fire. Quite literally, much of the time. Predicting such disasters before they get...

Don’t blame MKBHD for the fate of Humane AI and Fisker

Humane AI raised more than $230 million before it even shipped a product. And when it finally...

Dark Space is building a rocket-powered boxing glove to push debris out of orbit

Paris-based Dark Space is taking on the dual problems of debris and conflict in orbit with their...

Adtech giants like Meta must give EU users real privacy choice, says EDPB

The European Data Protection Board (EDPB) has published new guidance which has major implications for adtech giants...

LinkedIn testing paid Premium Company page with AI-assisted content creation

LinkedIn — the social platform that targets the working world — has quietly started testing another way...

TikTok starts testing its Instagram competitor TikTok Notes in Canada and Australia

TikTok is rolling out its Instagram competitor, TikTok Notes, in select markets. The app is available on...

Cherub, an angel investing community inspired by dating apps, entices investors and founders to pair up

Jaclyn Johnson and Angeline Vuong were on a hike deliberating how hard it can be for people...

Inversion Space will test its space-based delivery tech in October

Inversion Space is aptly named. The three-year-old startup’s primary concern is not getting things to space, but...