Cyber Resilience Act

In the worst case, the final version of the Cyber Resilience Act would require individual open source developers to certify that their software meets EU standards and that it passes regular security reviews.

One key detail is that, while the Cyber Resilience Act would apply to both open and closed source software, there is a bigger burden on open source developers because they have less knowledge of and control over who uses their software: increasing their potential legal exposure under the act.

The Cyber Resilience Act was introduced by the European Parliament in September 2022. Its purpose is to establish cybersecurity requirements for devices and software marketed in the EU. Everybody who places digital products in the EU market will be responsible for additional obligations around reporting and compliance, such as fixing discovered vulnerabilities, providing software updates, and auditing and certifying the products.

The Act shifts much of the security burden onto those who develop software, as opposed to the users of software. This can be justified by two assumptions: first, software developers know best how to mitigate vulnerabilities and distribute patches; and second, it’s easier to mitigate vulnerabilities at the source than requiring users to do so.

But as an open source developer, are you covered by the CRA? And what obligations does the CRA place on you?