The adoption of the CRA (Cyber Resilience Act) has caused some real anxiety among the FOSS ecosystem. Even in its amended form, many questions remain opened and debated, and more to the point, a lot of uncertainty still surrounds it, not just at the level of its general architecture but also at the implementation level.
It is perhaps fair to mention that the CRA itself does not exist in a void and is building on already existing regulations and ideas. However, it should be explained how the CRA itself was not born inside the institutions of the European Union but is an almost pure product of governmental cyber security circles and agencies. Because of that, the digital ecosystem at large is at pain understanding some of its logic. This talk will start with what we know and what we can infer from the CRA, and how it fits within the general regulatory framework of the European Union. We will thus clarify the following points:
– what does the CRA mean in terms of software security assessment and certification – and how that plays a key role in understanding what the CRA is and what it is not
– CRA within the European regulatory framework
– CRA implementation: the bad, the ugly, and the unknown
We will then discuss what the concerns are for the FOSS communities. Most notably:
– barriers of entry for Free Software companies, esp. the small and medium ones
– legal inability to develop Free and Open Source Software
– what will Free and Open Source software foundations do in edge cases and what are they expected to bring in terms of guidance to the companies contributing to their projects
It will then discuss how we can best prepare for it, and make some suggestions on how to solve FOSS specific challenges related to CRA. In particular the talk will explore the following possibilities:
– evolving the role or cross project security teams
-promoting best practices in development (CI CD, code auditability) turning the CRA against proprietary software practices
– Pooling security audits
– Better release management
Last but not least, this talk will discuss the economics behind the CRA and why this may not end up being less of a problem than we think.
