Summary

The EU Cyber Resilience Act (CRA) introduces specific provisions and considerations for open-source software (OSS) to ensure cyber resilience. It addresses the unique challenges posed by OSS, including compliance with security standards, the role of community-driven development, and the obligations of open-source software stewards.

Relevant CRA Provisions

  • Recitals (17), (18), (19), (22)
  • Articles 12, 13, 24, 25

Detailed Explanation

The CRA recognizes the unique nature of open-source software and its significant contribution to research, innovation, and the digital economy. It aims to foster the development and deployment of OSS by microenterprises, small and medium-sized enterprises, start-ups, individuals, not-for-profit organizations, and academic research organizations. The regulation applies to OSS supplied for distribution or use in the course of a commercial activity, distinguishing between commercial and non-commercial activities based on monetization and integration into commercial products.

Open-source software stewards, who provide sustained support for the development of OSS intended for commercial activities, are subject to a light-touch and tailor-made regulatory regime. This regime includes obligations to establish a cybersecurity policy, cooperate with market surveillance authorities, and document vulnerabilities. The CRA also empowers the Commission to adopt delegated acts to establish voluntary security attestation programs for OSS.

Obligations for Stakeholders

  • Manufacturers: Must ensure products with digital elements comply with essential cybersecurity requirements, conduct cybersecurity risk assessments, and handle vulnerabilities effectively. They must also exercise due diligence when integrating third-party components, including OSS, and maintain appropriate policies and procedures for vulnerability disclosure and remediation.
  • Open-Source Software Stewards: Required to establish and document a cybersecurity policy fostering secure product development and effective vulnerability handling. They must cooperate with market surveillance authorities and provide necessary documentation upon request.