I’ve just found this article explaning possible impact of EU Cyber resilience act on open-source software: Open-source software vs. the proposed Cyber Resilience Act .
The prepared legislation can be found here with feedback period open until 21 January 2023.
If the authors of the article draw correct conclusions, the act would require all developers of critical products to hire an external auditing company to audit the development process and vulnerability management, in order to get the required CE mark for the software. This is an excerpt from the list of critical products:
It seems the lawmakers tried to make some good for open-source developers, however, it it not clear if that’s enough:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. […] In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
I agree with the authors of the above-mentioned article that this really sounds that as soon as you start selling support for a FOSS or open a sponsoring account, you have to start following the regulation and getting the CE mark. And I’m not sure how this is supposed to work if some commercial company would like to use an unpaid FOSS dependency in their software - whether they would need to get the CE mark also for this dependency, or not.
Now, I think it might not be that hard for CZ.NIC to get the CE mark for the repos they maintain. However, the same cannot be said about the hundreds of individual developers or small research teams around.
Has anyone already examined this regulation in detail? Is there something I’ve missed? Or should I start contacting my EU parliament rep?