In our previous update we encouraged our Open Source Geospatial Foundation members to stay informed and await further information as it is made available.
The CRA regulation is aimed at mitigating the impact of security vulnerabilities on society (including aspects of economy, digital sovereignty and national security.) In practical terms this act extends the “CE Mark” regulation from devices (such as your toaster or phone) to software products.
The text of the European Cyber Resilience Act is now available:
- CRA Final comprised text (European Commission, 20 December 2023)
The updated text now has an explicit definition of cyber security and has been heavily influenced by feedback from the free and open source community.
Jan 8, 2024 updates:
- Update on Drupal’s response to the EU’s proposed Cyber Resilience Act (drupal.org, 12 December 2023)
The Drupal Association has done a great job working with regulators on this topic. - Statement about the EU Cyber Resilience Act (bits.debian.org, 27 December 2023)
The Debian community completed a CRA statement shortly after the final text was available. Unfortunately the statement was not informed by the final text so a mix of valid concern and outdated statements to wade through. - EU CRA: The compiler does not read the comments, but judges do read the Recitals (berthub.eu, 29 December 2023)
Response to Debian statement above, provides good background information for developers struggling to understand why laws are written in an intentionally vague manner. - EU CRA: What does it mean for open source? (berthub.eu, 30 December 2023)
Recommended: Well worth reading with good insight into the text of this regulation and responsibilities associated with the use of free and open source software.
Jan 23, 2024 updates:
- EU’s Cyber Resilience Act Passes with Wins for Open Source (pyfound.blogspot.com, 12 January 2024)
Response from Python Foundation is an example of the positive reaction by the open source community, with some hesitation around “open source steward”. - From Concerns to Solutions: An Update on the Cyber Resilience Act (crowdcast.io, 23 January 2024)
Response from the Eclipse Foundation which presents a very informed and informative response. Recognizes that this is no longer a existential thread to open source, but is a major regulation of the software industry.
Open Source Geospatial Foundation Commitment
The technology that powers our Free and Open Source Software for Geospatial community is developed and maintained by a healthy mix of community members – including service providers and integrators who are asked to bear the strain of meeting this new regulation.
- All FOSS4G projects should plan to assist those affected by the new regulation ensuring users can meet their new obligations to report security vulnerabilities.
- All FOSS4G projects may expect interest for a software bill-of-materials as greater attention is paid to the free and open source components included in your technology.
- OSGeo projects should ensure their Project Steering Committee is equipped to meet any obligations placed on OSGeo as a “software steward”.
- OSGeo community projects are promoted by OSGeo only – but have not yet gone through the incubation process to establish a Project Steering Committee reporting to the foundation. Community projects may wish to consider joining the Foundation at this time.
OSGeo is committed to supporting the projects in our care and we look forward to working with our community to meet this challenge.
OSGeo will participate in the upcoming EU Open Source Policy Summit 2024, asking Iván Sánchez Ortega to attend on our behalf.
OSGeo annual budget requests for 2024 presently underway. We expect to provide legal guidance as projects review and revise their security policies and regulatory requirements in the year ahead.
