The EU Cyber Resilience Act imposes so much compliance overhead over OSS developers. The CRA supposedly would bring support to open-source, but instead, the current proposal will overload small developers with compliance work and hamper software innovation.
Personal Commentary: I think that is dangerous that governments attemp to interfeering into the spontaneous processes that drive OSS communities, based on knowledge sharing and collaborative efforts. May asking for financial support to politicians is not a good idea after all.
There are quite a lot of other analyses on the act and on skimming the proposal itself, it feels like this may be a bit too hard on the act making it seem bad, meanwhile the groupings or classes split OSS into sections that allow OSS developers exist outside the purview of the government/act.
We should check the categories. Currently I see:
Class I
Class II
Unclassified or Default
Where Class I are:
Identity and access management software
Browsers
Password managers
Malicious software detection
Products that use virtual private networks
Network management, configuration, monitoring, and resource management tools
Security information and event management systems
Update and patch management tools
Mobile device and application management software
Remote access software
Physical network interfaces
Microcontrollers
Integrated circuits and gate arrays intended for use by essential entities described in the NIS2 directive
Operating systems, firewalls, routers, modems, microprocessors, industrial automation and control systems, and industrial IoT that are not covered by Class II of the Cyber Resilience Act
And Class II are:
Operating systems
Hypervisors and container runtime systems
Public key infrastructure and digital certificate issuers
Firewalls for industrial use
Industrial intrusion detection/prevention systems
General purpose microprocessors
Microprocessors for programmable logic controllers and secure elements
Routers for industrial use
Modems for industrial use
Industrial switches
Secure elements
Hardware Security Modules
Secure cryptoprocessors
Smartcards, readers, and tokens
Industrial Automation & Control Systems intended for the use by essential entities described in NIS2
Industrial Internet of Things devices intended for the use by essential entities described in NIS2
Robot sensing and actuator components and robot controllers
Smart meters
I may be wrong but these mean a large percent of OSS would fall under unclassified or Default. And these ones are self-assessed.
And for those within the classes they seem to be setting up institutions to act as auditors, so this feels to me like a similar setup like the ISO and other similar certification, but now the government is fully leading the charge and not leaving it to top companies to lead and thus control.
These are my uninformed thoughts though, I spoke based on what I read in the shared article, a read of some specific sections in the main 87 page proposal and this analysis: