Topic: EU Cyber Resilience Act
Closed this issue · 11 comments
... and possible effects on Open Source users and makers in the EU.
Maybe we can invite @oej to tell us about it?
Link: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act
- What is the EU Cyber Resilience Act?
- When will it become law? (Will it?)
- How will it affect manufacturers of software in Europe if/when enacted?
- How will it affect Open Source projects?
- Can we do anything to change it, does it need changing?
If we're focusing on Open source we need to take a wider scope and discuss what's happening in the US and why the OpenSSF exists and what they do...
Yes, I think we should see and talk about this from an Open source angle, even with a focus at Open Source hackers/contributors. Staying true to who we are.
Some suggestions if/when you want to dive in a bit deeper:
- what is the NLF and how did product-legislation get extended to software, as such?
- how to interpret the terms "commercial" and "placing on the market" in the context of open source software?
- how do policymakers interpret these terms?
- what about the FOSS community, to the limited extent it has been engaged thusfar?
- who is this 'manufacturer' that is central to the the mechanics of the CRA when it comes to open source?
Happy to discuss the topic, if that is of any utility; I have been following the topic for a while now.
FYI: the plan is to record an episode on this topic today.
While intentions are good behind EUCRA, I get strong ISO9000 vibes here.
However good the regulation will become, the business opportunity for certification companies arise. This could make it spread like cancer through the industry. Any, however small, software consulting could require anyone to be EUCRA certified. And how often does one need to be re-certified? Every year?
While software developers outside the EU will not be bothered with this. Do we all move to Northern Ireland or Norway then? What would prevent this? An exemption for "small" businesses?
The law specifies that standard bodies will have to define what exactly will the criteria be to be certified. As such
- Which of the standardization committees or bodies will this be? This has a massive impact because they have fairly different members
- Can we have FOSS represented there? If yes how?
- In particular because what we do in practice has not a lot to do with what is considered "SDLC" in... well everywhere.
- If you had to define what your own good practices, that you are doing today, are, what would they be? Can we start talking about that, instead of the SLSA or OpenSSF framework which afaict are not realistic?
On certification:
- What would a certification for a FOSS project look like?
- Who would audit it? So far none of the usual certification industry players seem interested
- Who would answer the audit?
- If we are not certified... what happens? Are we still used? Will the industry user need a certification?
- What happens if the industry simply... refuse to do it for FOSS because it is too hard? This has happened multiple times in the past with this kind of EU rule in other industries.
Important to note: this does affect developers outside of the EU because it will use trade rules, just like the GDPR. So the only realistic way to dodge it if you are "outside" the EU is to never let an EU resident use your software but also never let a product sold in the EU use your code. Which is opposite to FOSS basic rules and "freedom".
You might want to talk to @berthubert as well. He wrote a good article about it and is in discussions with lawmakers/civil servants.
I really like the discussion here, so keep it going. The recording of the podcast is today, but that doesn't mean we can't discuss :-)
The creation of new standards is not a route that will save open source projects from concern. First, far too long a timeline. Second, there's a critical lack of representation in ETSI and CEN/CENELEC.
Since this topic has now been discussed in a recorded episode, I'm closing.