EU Cybersecurity regulation might make developing open-source software more difficult

I’ve just found this article explaning possible impact of EU Cyber resilience act on open-source software: Open-source software vs. the proposed Cyber Resilience Act .

The prepared legislation can be found here with feedback period open until 21 January 2023.

If the authors of the article draw correct conclusions, the act would require all developers of critical products to hire an external auditing company to audit the development process and vulnerability management, in order to get the required CE mark for the software. This is an excerpt from the list of critical products:

It seems the lawmakers tried to make some good for open-source developers, however, it it not clear if that’s enough:

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. […] In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

I agree with the authors of the above-mentioned article that this really sounds that as soon as you start selling support for a FOSS or open a sponsoring account, you have to start following the regulation and getting the CE mark. And I’m not sure how this is supposed to work if some commercial company would like to use an unpaid FOSS dependency in their software - whether they would need to get the CE mark also for this dependency, or not.

Now, I think it might not be that hard for CZ.NIC to get the CE mark for the repos they maintain. However, the same cannot be said about the hundreds of individual developers or small research teams around.

Has anyone already examined this regulation in detail? Is there something I’ve missed? Or should I start contacting my EU parliament rep?


i am unsure about that. the regulations seem to be very extensive and complicated.

this seems no small matter

More difficult YES, big brother YES, but also way more secure! That’s what matters!

OpenSource will skip up to higher level “created by publid, verified by garant”. The garant should be the responisve person for vulnerability issues. You can force claim a problem there. The development team will be easily forced to maintain and repair vulnerability bugs.

How is a CE mark more secure? For physical products manufacturers/importers can simply print a CE mark (they are held responsible should it turn out the CE mark was not warranted) so a bad actor simply puts on the mark and changes company names if caught with a deficient product. Printing a CE mark certainly increases legal exposure but does NOT immediately affect product security/safety (albeit for benevolent actors that improve products to meet the CE requirements security can be increased).

Many times CE = China Export :smiley:

The CE letters itself are not secure. The whole process behind it could be … The CE autorisator is responsible for that process. Is it about CE certification process security. Details matters, devils can be hidden everywhere.

This topic was automatically closed after 60 days. New replies are no longer allowed.