Open source foundations unite to create common standards for Europe’s Cyber Resilience Act

Seven leading open source foundations are collaborating to establish unified cybersecurity standards in response to Europe’s Cyber Resilience Act, aiming to strengthen the software supply chain and ensure compliance with forthcoming regulations.

Cyber Security concept

Seven leading open-source foundations have united their efforts to establish unified specifications and standards in response to Europe’s recently adopted Cyber Resilience Act (CRA). This groundbreaking regulation introduces new cybersecurity rules for digital products, including software, which is made up of open-source components for 70% to 90%.

The collaborative initiative involves The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation. Together, they aim to pool their expertise and resources to streamline existing security protocols within open-source software (OSS) development. Their primary objective is to fortify the often-criticised software supply chain, ensuring its resilience and compliance with the European legislation, which comes into force in three years.

In today’s digital ecosystem, open-source components constitute a significant proportion of all software. These components, predominantly developed voluntarily, underpin various software products, driving innovation and functionality.

The Cyber Resilience Act was initially introduced in draft form nearly two years ago, aiming to codify cybersecurity best practices for both hardware and software products circulating within the European Union. It mandates stringent adherence to the latest security patches and updates for all internet-connected products, imposing penalties for non-compliance. These penalties may include fines of up to €15 million or 2.5% of the global turnover.

However, the Act drew criticism from different experts, including the open-source community, expressing concerns about potential detriments to software development. Central to these concerns was the fear that upstream open-source developers could be held liable for security flaws in downstream products, potentially discouraging volunteer participation in critical projects.

Subsequent revisions to the legislation sought to address these concerns, clarifying exemptions for non-commercial open-source projects. However, the language was open to interpretation in terms of what exactly fell under ‘commercial activity’.

One notable challenge in open source development is the often sporadic documentation, hindering audits and impeding downstream manufacturers’ ability to comply with the CRA. While many projects adhere to best practices regarding vulnerability disclosures and peer reviews, the lack of standardised methodologies poses a significant hurdle.

The convergence of legislative initiatives worldwide, such as the proposed Securing Open Source Software Act in the USA, underscores the imperative for standardised cybersecurity processes within the open source community. This collaboration seeks to address these challenges by fostering alignment and comprehensive documentation across diverse open-source initiatives.