“Collaborative Efforts: Open Source Foundations Unify to Establish Shared Standards for the EU’s Cybersecurity Resilience Act”

Seven open source foundations are coming together to create common specifications and standards for Europe’s Cyber Resilience Act (CRA), regulation adopted by the European Parliament last month. And this is what the seven open source foundations are coming together for now. By coming together as one, this should go some way toward treating open source software development as a single “thing” bound by the same standards and processes. Throw into the mix other proposed regulation, including the Securing Open Source Software Act in the U.S., and it’s clear that the various foundations and “open source stewards” will come under greater scrutiny for their role in the software supply chain. “The open source community and the broader software industry now share a common challenge: legislation has introduced an urgent need for cybersecurity process standards.

Seven open source foundations are joining forces to prepare for Europe’s Cyber Resilience Act (CRA), a regulation recently adopted by the European Parliament. The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation are collaborating to establish common specifications and standards for the CRA.

The legislation, which will come into force in three years, aims to establish cybersecurity best practices for all hardware and software products sold in the European Union. This includes regular updates and patches, with penalties for non-compliance of up to €15 million or 2.5% of global turnover.

It’s estimated that 70-90% of software is made up of open source components, developed by volunteers in their own time and with their own resources.

The draft form of the Cyber Resilience Act was first introduced almost two years ago, but faced criticism from numerous third-party organizations. In particular, open-source industry bodies expressed concerns about the potential impact on open source software development. Some feared that volunteer developers could be held legally responsible for security defects in downstream products, deterring them from contributing to critical components.

Amendments were made to address these concerns, clarifying the exclusion of open source projects from certain aspects of the regulation. However, the exact definition of “commercial activity” and what activities could be exempt remains somewhat open to interpretation.

The revised legislation has been approved, but won’t come into effect until 2027. This gives all parties involved time to meet the requirements and address any remaining concerns. This is where the collaboration between the seven open source foundations comes in.

The documentation for many open source projects can be patchy or non-existent, making it difficult to support audits or for downstream developers to implement their own CRA processes.

While some well-resourced open source initiatives have established best practices for things like vulnerability disclosures and peer review, each entity may have different approaches and standards. By uniting under one banner, these foundations hope to establish a cohesive standard for open source software development.

Furthermore, with other proposed regulations, such as the Securing Open Source Software Act in the U.S., on the horizon, it’s clear that open source stewards and foundations will come under increased scrutiny for their role in the software supply chain.

The Eclipse Foundation, which oversees hundreds of open source projects ranging from developer tools to specifications, will lead the effort in Brussels. Members include major industry players such as Huawei, IBM, Microsoft, Red Hat, and Oracle.

The foundation acknowledges that while open source communities generally adhere to industry best practices for security, there may be a lack of alignment and comprehensive documentation across different projects. With the introduction of the CRA, there is now a need for standardized cybersecurity processes throughout the open source community and the broader software industry.

The collaboration between the seven open source foundations marks a step towards addressing this need and ensuring that the software supply chain is ready for the new legislation.

Avatar photo
Dylan Williams

Dylan Williams is a multimedia storyteller with a background in video production and graphic design. He has a knack for finding and sharing unique and visually striking stories from around the world.

Articles: 874

Leave a Reply

Your email address will not be published. Required fields are marked *