Update on EU Cyber Resilience Act (CRA)
Hi everyone, Last month the Cyber-Resilience Act (“CRA”) passed a major milestone, with a common text being agreed upon between the European Commission, Council and Parliament at the end of the Trilogue negotiations. The text, which was until now only available as selected leaks, was formally published on December 20 within this communication to the Parliament: https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf The intent and spirit of the text remains very much the same: applying CE marking and basic product security principles to software. As such, it is going to affect all organizations providing software products on the European market, whether they leverage open source software or not. That said, it’s clear in this version of the text that the engagement of a lot of open source advocacy groups (including OpenInfra Foundation) has led to multiple clarifications. Those clarifications reduce the disconnect between the text and the openly-developed open source model, and reduce the risk of global chilling effects around open source development participation. In particular: - The funding of essential project support functions, without the intention to make a profit, does not constitute “commercial activity” and therefore is not within the scope of this regulation (see recital 10 on page 10 and recital 10c on page 12) - There is now a clear distinction between the development and the supply phases, with the regulation clearly triggering at the supply phase (when the software is put on the market in the course of a commercial activity) (recital 10c, page 12) - Foundations should be considered “open-source software stewards” (as defined in Article 3 point (18a), page 76), and should be subject to a light-touch and tailor-made regulatory regime (recital 10d, page 13), exempted from penalties (article 53(10a), page 159) The proposed text is likely to be adopted as-is by the Parliament (see cover letter on page 2), so now is a good time to get more familiar with its details. Even if the text is adopted as-is, there is a lot more to come in the future as this regulation will need practical implementation guidelines. We’ll continue to watch that space and keep you informed of future developments – I’ll be representing the OpenInfra Foundation in conversations on this topic at the EU Open Source Policy Summit and FOSDEM events in Brussels in a few weeks. We also plan to continue policy news briefings during board meetings in 2024, like DLA Piper did in Vancouver last year. Regards, Thierry Carrez General Manager, OpenInfra Foundation
Thank you for the update! This is all good to hear. Do you have any feeling for when practical implementation guidelines will be available? At a glance, it looks like some aspects enter into force at some period of months after the overall act is adopted, I suspect it might be useful to note any such important dates or milestones during future updates. Thanks again! -Julia On Thu, Jan 4, 2024 at 8:08 AM Thierry Carrez <thierry@openinfra.dev> wrote:
Hi everyone,
Last month the Cyber-Resilience Act (“CRA”) passed a major milestone, with a common text being agreed upon between the European Commission, Council and Parliament at the end of the Trilogue negotiations.
The text, which was until now only available as selected leaks, was formally published on December 20 within this communication to the Parliament:
https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf
The intent and spirit of the text remains very much the same: applying CE marking and basic product security principles to software. As such, it is going to affect all organizations providing software products on the European market, whether they leverage open source software or not.
That said, it’s clear in this version of the text that the engagement of a lot of open source advocacy groups (including OpenInfra Foundation) has led to multiple clarifications. Those clarifications reduce the disconnect between the text and the openly-developed open source model, and reduce the risk of global chilling effects around open source development participation. In particular:
- The funding of essential project support functions, without the intention to make a profit, does not constitute “commercial activity” and therefore is not within the scope of this regulation (see recital 10 on page 10 and recital 10c on page 12)
- There is now a clear distinction between the development and the supply phases, with the regulation clearly triggering at the supply phase (when the software is put on the market in the course of a commercial activity) (recital 10c, page 12)
- Foundations should be considered “open-source software stewards” (as defined in Article 3 point (18a), page 76), and should be subject to a light-touch and tailor-made regulatory regime (recital 10d, page 13), exempted from penalties (article 53(10a), page 159)
The proposed text is likely to be adopted as-is by the Parliament (see cover letter on page 2), so now is a good time to get more familiar with its details. Even if the text is adopted as-is, there is a lot more to come in the future as this regulation will need practical implementation guidelines.
We’ll continue to watch that space and keep you informed of future developments – I’ll be representing the OpenInfra Foundation in conversations on this topic at the EU Open Source Policy Summit and FOSDEM events in Brussels in a few weeks. We also plan to continue policy news briefings during board meetings in 2024, like DLA Piper did in Vancouver last year.
Regards,
Thierry Carrez General Manager, OpenInfra Foundation _______________________________________________ Foundation-board mailing list -- foundation-board@lists.openinfra.dev To unsubscribe send an email to foundation-board-leave@lists.openinfra.dev
Hi Julia, There is no clear timeline for those implementation details, and the sense I got from people with past experience with this type of regulation is that it could take years before all implementation details are published. The regulation itself says (article 57, page 162) that the text would apply 36 months after the regulation is approved, except chapter IV (notification of conformity, 18 months after) and article 11 (vulnerability reporting, 21 months after). "How fast is this going to be implemented now" is actually my top question for the EU Open Source Policy Summit a few weeks from now. Regards, Thierry Julia Kreger wrote:
Thank you for the update!
This is all good to hear. Do you have any feeling for when practical implementation guidelines will be available? At a glance, it looks like some aspects enter into force at some period of months after the overall act is adopted, I suspect it might be useful to note any such important dates or milestones during future updates.
Thanks again!
-Julia
On Thu, Jan 4, 2024 at 8:08 AM Thierry Carrez <thierry@openinfra.dev <mailto:thierry@openinfra.dev>> wrote:
Hi everyone,
Last month the Cyber-Resilience Act (“CRA”) passed a major milestone, with a common text being agreed upon between the European Commission, Council and Parliament at the end of the Trilogue negotiations.
The text, which was until now only available as selected leaks, was formally published on December 20 within this communication to the Parliament:
https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf <https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf>
The intent and spirit of the text remains very much the same: applying CE marking and basic product security principles to software. As such, it is going to affect all organizations providing software products on the European market, whether they leverage open source software or not.
That said, it’s clear in this version of the text that the engagement of a lot of open source advocacy groups (including OpenInfra Foundation) has led to multiple clarifications. Those clarifications reduce the disconnect between the text and the openly-developed open source model, and reduce the risk of global chilling effects around open source development participation. In particular:
- The funding of essential project support functions, without the intention to make a profit, does not constitute “commercial activity” and therefore is not within the scope of this regulation (see recital 10 on page 10 and recital 10c on page 12)
- There is now a clear distinction between the development and the supply phases, with the regulation clearly triggering at the supply phase (when the software is put on the market in the course of a commercial activity) (recital 10c, page 12)
- Foundations should be considered “open-source software stewards” (as defined in Article 3 point (18a), page 76), and should be subject to a light-touch and tailor-made regulatory regime (recital 10d, page 13), exempted from penalties (article 53(10a), page 159)
The proposed text is likely to be adopted as-is by the Parliament (see cover letter on page 2), so now is a good time to get more familiar with its details. Even if the text is adopted as-is, there is a lot more to come in the future as this regulation will need practical implementation guidelines.
We’ll continue to watch that space and keep you informed of future developments – I’ll be representing the OpenInfra Foundation in conversations on this topic at the EU Open Source Policy Summit and FOSDEM events in Brussels in a few weeks. We also plan to continue policy news briefings during board meetings in 2024, like DLA Piper did in Vancouver last year.
Regards,
Thierry Carrez General Manager, OpenInfra Foundation _______________________________________________ Foundation-board mailing list -- foundation-board@lists.openinfra.dev <mailto:foundation-board@lists.openinfra.dev> To unsubscribe send an email to foundation-board-leave@lists.openinfra.dev <mailto:foundation-board-leave@lists.openinfra.dev>
_______________________________________________ Foundation-board mailing list -- foundation-board@lists.openinfra.dev To unsubscribe send an email to foundation-board-leave@lists.openinfra.dev
-- Thierry Carrez
participants (2)
-
Julia Kreger
-
Thierry Carrez