The European Union's proposed Cyber Resilience Act (CRA) has caused concern for the Electronic Frontier Foundation (EFF), as it may pose significant threats to open-source developers and cybersecurity.



The CRA aims to enhance Europe's cyber defense and product security, encompassing devices from IoT to smartphones, by mandating manufacturers and distributors to disclose vulnerabilities and introducing liability for cybersecurity incidents.

However, the EFF argues that the current form of the CRA could unintentionally penalize open-source developers who earn compensation for their work. Open-source software like Linux and Apache is crucial in the global digital landscape and relies on revenue from donations, grants, and sponsorships. The CRA might disrupt this by imposing liabilities on developers who introduce vulnerable products to the market, even inadvertently.

While the act exempts not-for-profit open-source contributors from "commercial activity" and thus liability, this exemption's scope is limited, potentially exposing developers who solicit donations or charge for their software services to legal liability. The EFF warns that this could lead to a decline in open-source projects, which could severely damage the entire open-source ecosystem.

Furthermore, the EFF is concerned about the CRA's requirements on vulnerability disclosure. Mandating manufacturers to disclose exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours could lead to "shallow" fixes prioritized over deeper, more effective solutions due to the tight timeframe. This process could also increase the risk of vulnerability exposure to malicious actors, and it lacks a public disclosure provision, preventing consumers from making informed purchase decisions.

Therefore, the EFF calls on European lawmakers to reconsider these elements of the CRA and provide further protections for open-source developers, reconsider the inflexible deadlines for vulnerability resolution, require public disclosure of security fixes, and ensure safe harbor provisions for security researchers. As society becomes increasingly reliant on technology, it is essential to safeguard against any potential negative impact that can arise from hastily created cybersecurity legislation.