There are quite a lot of other analyses on the act and on skimming the proposal itself, it feels like this may be a bit too hard on the act making it seem bad, meanwhile the groupings or classes split OSS into sections that allow OSS developers exist outside the purview of the government/act.
We should check the categories. Currently I see:
- Class I
- Class II
- Unclassified or Default
Where Class I are:
- Identity and access management software
- Browsers
- Password managers
- Malicious software detection
- Products that use virtual private networks
- Network management, configuration, monitoring, and resource management tools
- Security information and event management systems
- Update and patch management tools
- Mobile device and application management software
- Remote access software
- Physical network interfaces
- Microcontrollers
- Integrated circuits and gate arrays intended for use by essential entities described in the NIS2 directive
- Operating systems, firewalls, routers, modems, microprocessors, industrial automation and control systems, and industrial IoT that are not covered by Class II of the Cyber Resilience Act
And Class II are:
- Operating systems
- Hypervisors and container runtime systems
- Public key infrastructure and digital certificate issuers
- Firewalls for industrial use
- Industrial intrusion detection/prevention systems
- General purpose microprocessors
- Microprocessors for programmable logic controllers and secure elements
- Routers for industrial use
- Modems for industrial use
- Industrial switches
- Secure elements
- Hardware Security Modules
- Secure cryptoprocessors
- Smartcards, readers, and tokens
- Industrial Automation & Control Systems intended for the use by essential entities described in NIS2
- Industrial Internet of Things devices intended for the use by essential entities described in NIS2
- Robot sensing and actuator components and robot controllers
- Smart meters
I may be wrong but these mean a large percent of OSS would fall under unclassified or Default. And these ones are self-assessed.
And for those within the classes they seem to be setting up institutions to act as auditors, so this feels to me like a similar setup like the ISO and other similar certification, but now the government is fully leading the charge and not leaving it to top companies to lead and thus control.
These are my uninformed thoughts though, I spoke based on what I read in the shared article, a read of some specific sections in the main 87 page proposal and this analysis:
What do others think?