Summary

The EU Cyber Resilience Act (CRA) introduces specific provisions to address the use, development, and security implications of open source software, aiming to enhance cybersecurity and ensure compliance with the CRA’s requirements. The CRA applies a tailored regulatory regime to open-source software stewards, recognizing the unique nature of open source development models.

Relevant CRA Provisions

• Recitals: Recital 17, Recital 18, Recital 19, Recital 20, Recital 22
• Articles: Article 12, Article 24, Article 25

Detailed Explanation

The CRA acknowledges the significant role of free and open-source software (FOSS) in fostering innovation and research. It aims to support the development and deployment of FOSS by microenterprises, small and medium-sized enterprises, start-ups, individuals, not-for-profit organizations, and academic research organizations. The regulation applies to FOSS supplied for distribution or use in commercial activities, taking into account the different development models of such software.

Open-source software stewards, who provide sustained support for the development of FOSS intended for commercial activities, are subject to a light-touch and tailor-made regulatory regime. This regime recognizes their specific nature and the type of obligations imposed. Stewards are required to establish and document a cybersecurity policy to foster secure product development and effective vulnerability handling. They must also cooperate with market surveillance authorities to mitigate cybersecurity risks.

The CRA does not consider the mere act of hosting FOSS on open repositories as making the software available on the market. Providers of such services are only considered distributors if they supply the software for distribution or use on the Union market in the course of a commercial activity.

To facilitate due diligence, the Commission is empowered to adopt delegated acts to establish voluntary security attestation programs for FOSS. These programs allow developers, users, and third parties to assess the conformity of FOSS with essential cybersecurity requirements.

Obligations for Stakeholders

• Open-source software stewards: Must establish and document a cybersecurity policy, cooperate with market surveillance authorities, and provide requested documentation upon reasoned request.
• Manufacturers integrating FOSS components: Should consider participating in voluntary security attestation programs to assess the conformity of integrated FOSS with cybersecurity requirements.
• Distributors of FOSS: Are subject to the CRA if they supply FOSS for distribution or use on the Union market in the course of a commercial activity.