But does the revised Computer Resiliency Act text calm open-source fears around reporting and liabilities?

By Joe Fay

EU Tablet Phone KeyboardThe European Union (E.U.) Cyber Resilience Act could be finalized by the end of this year after the member states agreed on a revised text for the controversial cybersecurity legislation.

The revised text was agreed this week by the European Council. It includes plans for a single vulnerability reporting platform and clarifies under which circumstances open-source software will be covered by the legislation.

The legislation came under criticism from industry bodies for being too prescriptive when it was unveiled by the European Commission last year. Open-source advocates said it would pile liability for cyber risks onto contributors, rather than commercial entities that incorporate open software into their own products and services.

According to the Council, which represents the heads of state of the E.U., the draft regulations aim to introduce “mandatory cybersecurity requirements for the design, development, production and making available on the market of hardware and software products” and to avoid overlapping legislation from individual states.

They will apply to “all products that are connected either directly or indirectly to another device or network” except for products covered by pre-existing E.U. rules, such as medical devices, aviation, and cars.

In a statement, the council highlighted amendments which more tightly define the classes of products covered by the legislation.

New Approach to Reporting

The latest draft confirms expected changes in the reporting obligations around exploited vulnerabilities. The first point of call should be national security agencies, instead of the pan-European ENISA. However, ENISA is tasked with establishing a single reporting platform, which will allow “member states and ENISA to put in place their own electronic notification endpoints.”

It also lays out obligations around expected product lifetimes, support measures for small and micro enterprises, and a “simplified declaration of conformity”.

The revised text also expands on the status of open-source software, adding that “This Regulation applies only to products with digital elements made available on the market, hence supplied for distribution or use on the Union market in the course of a commercial activity.” This includes charging for technical support or for providing a platform.

“A package manager, code host or collaboration platform that facilitates the development and supply of software is only considered to be a distributor if they make this software available on the market and hence supply it for distribution or use on the Union market in the course of a commercial activity,” the statement continued.

The upshot is that: “This Regulation should only apply to free and open-source software that is supplied in the course of a commercial activity.” Whether this reassures the open-source community remains to be seen.

One Rule to Secure Them All

In a statement this week, Carme Artigas Brugal, Spain’s state secretary for digitalization and AI, said the agreement “advances the E.U.'s commitment towards a safe and secure digital single market.”

She continued, “IoT and other connected objects need to come with a baseline level of cybersecurity when they are sold in the E.U., ensuring that businesses and consumers are effectively protected against cyber threats.”

But this week’s agreement on the text is nowhere near the end of the process. The amended test will be considered in a series of dialogues between the European Parliament, the European Council, and the Commission. The first is slated for September, with two more in November, where the text could undergo further changes. Next comes a technical stage which sees finishing touches by lawyers and linguists, typically taking three to four months.

The final text then could be ready for formal adoption sometime early next year, after which implementation in the member states could take up to three years.