Light Dark
February 19, 2024 By Mark Stone 3 min read
News

Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents.

While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new legislation that specifically addresses cyber resilience?

The European Union’s recent amendment to the Cyber Resilience Act (CRA) has sent ripples through the tech world. The legislation was proposed in September 2022 and achieved political agreement with a controversial amendment in December 2023. The act aims to bolster cybersecurity across the EU but has taken an unexpected swerve by redefining the very essence of open-source software.

The amendment redefines open-source software, which could signal a potential paradigm shift in how open-source software is developed, shared and perceived in the European digital landscape.

The tech industry’s reaction has been an unholy recipe of cautious optimism mixed with apprehensive scrutiny, reflecting the diverse implications for open-source developers and the broader software ecosystem.

By exploring the layers of the CRA’s latest amendment, we can focus on its impact on the open-source community, the industry’s temperature check and the journey of open-source software through the legislative labyrinth of the CRA.

The amendment and its implications

The CRA has recently undergone significant amendments, particularly concerning the definition and handling of open-source software. The amendment states, “Free and open-source software is understood as software the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable.”

This redefinition has sparked a debate within the tech community, raising questions about its alignment with the traditional understanding of open source.

A mixed bag of industry reactions

The tech industry’s response to this amendment has been varied. On one hand, organizations like the Python Software Foundation have expressed relief. The final text of the CRA introduces the concept of an “open source steward,” which seems to acknowledge the unique nature of open-source software development. On the other hand, there is still significant concern about the broad implications of this redefinition and how it aligns with the realities of open-source development.

Impact on open-source developers

For open-source developers, the CRA’s amendments could mean navigating a new landscape of legal responsibilities and definitions. The act shifts a significant portion of the security burden onto software developers, which could be challenging for those in the open-source community. The notion of an “open source steward” is new in European law — and its practical implementation remains to be seen.

The open-source journey in the CRA

The journey of open-source software through the iterations of the CRA has been rather complicated. Initially, there was apprehension surrounding the potential legal responsibilities that could be imposed on open-source developers, especially in terms of security issues in products built using open-source components.

The final text of the CRA seems to have addressed some of these concerns by exempting non-profit open-source contributors from certain obligations, provided they do not engage in “commercial activity.” However, this exemption has its own ambiguities, especially regarding the definition of commercial activity.

Stepping forward with caution

The CRA’s latest amendment represents a significant step in recognizing the unique nature of open-source software within European law. However, the open-source community remains cautious. The redefinition of open-source software in the CRA and the introduction of the “open source steward” concept require careful monitoring to ensure they align with the intent and practicalities of open-source development. As the CRA moves towards finalization, the open-source community’s input will be crucial in shaping a law that supports and understands the nuances of open-source software development.

 |  |  |  |  | 
Mark Stone

More from News
July 23, 2024

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

July 22, 2024

White House mandates stricter cybersecurity for R&D institutions

2 min read - Federal cyber regulation is edging further into research and development (R&D) and higher education. A recent memo from the Office of Science and Technology Policy (OSTP) states that certain covered institutions will be required to implement cybersecurity programs for R&D security. These mandates will also apply to institutions of higher education that support R&D. Beyond strengthening the overall U.S. security posture, this move is also in direct response to growing threats posed by the People's Republic of China (PRC), as…

July 19, 2024

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature