'Unaware and Uncertain': Report Finds Widespread Unfamiliarity With 2027's EU Cyber Resilience Requirements (linuxfoundation.org) 5
Two "groundbreaking research reports" on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."
"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)
"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."
"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)
"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."
Sounds like they have two years to ask. (Score:2)
Re:Sounds like they have two years to ask. (Score:4, Informative)
Don't be scared. You are not affected by CRA if you do not earn money on your open source software.
The CRA regulates commercial activity: .. the provision of free and open-source software products that are not monetized by their manufacturers is not considered a commercial activity.
(10) This Regulation applies to economic operators only in relation to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity.
(10c)
(10c) This Regulation does not apply to natural or legal persons who contribute source code to free and open-source products that are not under their responsibility.
Also non-profit organizations hosting open source are not under CRA. On the other side, commercial entities which profit from open source are responsible! These commercial entities are also responsible to publish vulnerabilities they find in open source and also the patches developed. In general, CRA seems to be more good than bad for open source.
More info. for non-layers is here: https://berthub.eu/articles/po... [berthub.eu]
China? (Score:2)
Doing nothing is probably a good idea (Score:3)
The European Standardisation Organisations have been tasked with developing technical standards and until those are published it's probably a good idea not to do anything. Just about every organisation that operates in the EU was affected by GDPR and when those guidelines was published it made it so much easier (not that it was without pain).