EU's Proposed CE Mark for Software Could Have Dire Impact on Open Source
'The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community. From a report: The proposed Act can be described as CE marking for software products and has four specific objectives. One is to require manufacturers to improve the security of products with digital elements "throughout the whole life cycle." Second is to offer a "coherent cybersecurity framework" by which to measure compliance. Third is to improve the transparency of digital security in products, and fourth is to enable customers to "use products with digital elements securely." The draft legislation includes an impact assessment that says "for software developers and hardware manufacturers, it will increase the direct compliance costs for new cybersecurity requirements, conformity assessment, documentation and reporting obligations." This extra cost is part of a total cost of compliance, including the burden on businesses and public authorities, estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually. The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is "deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors. Legally altering this arrangement through legislation can reasonably be expected to cause unintended consequences to the innovation economy in Europe."' -- source: https://news.slashdot.org/story/23/01/26/1211223 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, Hamilton, NZ Mobile +64 22 190 2375 https://www.cs.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/
On Fri, 27 Jan 2023 09:16:09 +1300, Peter Reutemann quoted:
'The EU's proposed Cyber Resilience Act (CRA), which aims to "bolster cybersecurity rules to ensure more secure hardware and software products," could have severe unintended consequences for open source software, according to leaders in the open source community.'
Another opinion piece <https://www.theregister.com/2023/01/30/opinion_eu_foss_security/>: This is an imperfect process, as regulations always are. Companies and free market libertarians chafe at not being allowed to poison, crush or electrocute paying customers or passers-by. But it turns out a well-regulated market inspires consumer confidence, doesn't stop innovation, and adds value to entire sectors. That it annoys libertarians is just a free bonus. ... The principle of regulating digital products to make vendors take responsibility for cybersecurity is excellent but it demands proportionality. FOSS that is absolutely free of commercial interest isn't somehow more secure than one where you can buy a support contract. A far more general exemption that recognizes the intrinsic security advantages of software that is automatically transparent makes far more sense.
participants (2)
-
Lawrence D'Oliveiro -
Peter Reutemann