Thanks for sharing these articles, @nebairevelations!
About the Cyber Resilience Act, here are my quick takes:
The proposal aims to address the growing number of cyberattacks which are getting increasingly costly:
“Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.”
Here are the four objectives of the proposal:
- Ensure that manufacturers improve the security of products with digital elements since the design and development phase and throughout the whole life cycle;
- Ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers;
- Enhance the transparency of security properties of products with digital elements, and
- Enable businesses and consumers to use products with digital elements securely.
According to the fact sheet, 90% of the products will fall under the “Default” category (as @osioke pointed out in the other thread).
And there is a specific exception for non-commercial open source software (Page 16 - Recital 10):
“In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.”
Ensuring we have standard security processes/frameworks throughout the industry would help address the growing cyber threats. So, overall, I see it as a “well-intentioned” initiative.
About adding a burden on the OS initiatives, first of all, it would be great to have a good list of commercial OS initiatives that can fall under the critical category (requires auditing). According to their article, NLnet is one of them, but it may not be a long list.
On the other hand, the proposal is currently open for feedback. Shouldn’t we use this as an opportunity?
Ask the EU to set up a dedicated budget for the (commercial or non-commercial) critical OS initiatives (especially from the EU) to cover the arising auditing expenses from this regulation. Then, we can ensure that the OS solutions are still up to the same security standards while not adding any financial burden.
So, I suggest listing our concerns and improvements and sharing them as our feedback, maybe as the Sustain group? We can organize a meeting to discuss this proposal if you wish.
Here are all the links I found as a quick reference:
- Cyber Resilience Act | Shaping Europe’s digital future
- Cyber Resilience Act - Factsheet | Shaping Europe’s digital future
- Cyber Resilience Act - Feedback
- Open-source software vs. the proposed Cyber Resilience Act
- The EU's Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem - Internet Society
- An Overview of the EU’s Cyber Resilience Act – Center for Data Innovation
- Cybersecurity Resilience Act - EU proposes stricter cybersecurity rules for connected products - Lexology
- Kir Nuthi, “Feedback to the European Commission on the Cyber Resilience Act Initiative”