TitleCyber Resilience Act – Proposal for a regulation on cybersecurity requirements for products with digital elements
Proposed

The Cyber Resilience Act (CRA) is an EU regulation proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards, such as required incident reports and security updates, for products with digital elements in the EU.[1], which mainly refer to hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".[2]

After publication of the draft proposal, multiple open source organizations criticized CRA for creating a "chilling effect on open source software development".[3] The European Commission reached political agreement of the CRA as of 1 December 2023, after a series of amendments.[4] The revised bill received relief and applause from many open source organizations, and introduced the "open source steward", a new economic concept.[5] The CRA agreement must now receive formal approval by European Parliament and the Council prior to being enforced.[6]

Purposes and motivations

The background, purposes and motivations for the proposed policy include:[7]

According to The Washington Post, the CRA could make the EU a leader on cybersecurity and "change the rules of the game globally".[14]

Implementation and mechanisms

This section needs to be updated. The reason given is: Copyedit and remove "will" for things that have happened. Also add the newer amendment that only applies this to commercial distribution. Please help update this article to reflect recent events or newly available information. (February 2024)

The policy requires software that are "reasonably expected" to have automatic updates should roll out security updates automatically by default while allowing users to opt out.[16] Companies need to conduct cyber risk assessments before a product is put on the market and throughout 5 years or its expected lifecycle.[17] Products assessed as 'critical' will need to undergo external audits.[16][14] Companies would have to notify EU cybersecurity agency ENISA of any incidents within 24 hours of becoming aware of them, and take measures to resolve them.[11] Products are categorized via two classes of risks.[18] Products carrying the CE certifications would "meet a minimum level of cybersecurity checks".[8]

Once the law has passed, manufacturers would have two years to adapt to the new requirements and one year to implement vulnerability and incident reporting. Failure to comply could result in fines of up to €15 million or 2.5 percent of the offender's total worldwide annual turnover for the preceding financial year.[13][10][11]

Euractiv has reported on novel drafts or draft-changes that includes changes like the "removal of time obligations for products' lifetime and limiting the scope of reporting to significant incidents".[19][16] The first compromise amendment will be discussed on 22 May 2023 until which groups reportedly could submit written comments. Euractiv has provided a summary overview of the proposed changes.[20]

The main political groups in the European Parliament are expected to agree on the Cyber Resilience Act at a meeting on 5 July 2023. Lawmakers will discuss open source considerations, support periods, reporting obligations, and the implementation timeline. The committee vote is scheduled for 19 July 2023.[21][22]

The Spanish presidency of the EU Council has released a revised draft that simplifies the regulatory requirements for connected devices. It would reduce the number of product categories that must comply with specific regulations, mandate reporting of cybersecurity incidents to national CSIRTs, and include provisions for determining product lifetime and easing administrative burdens for small companies. The law also clarifies that spare parts with digital elements supplied by the original manufacturer are exempt from the new requirements.[23][22]

The Council text further stipulates that prior to seeking compulsory certification, the European Union executives must undertake an impact assessment to evaluate both the supply and demand aspects of the internal market, as well as the member states' capacity and preparedness for implementing the proposed schemes.[24][22]

European institutions have successfully concluded negotiations on the Cyber Resilience Act (CRA), paving the way for its anticipated completion in early 2024. The finalized text, yet to be released, will be followed by a detailed summary.[22]

Reception

Initially, the proposed act was heavily criticized by open-source advocates.[25]

Amendments were released on 1 December 2023, as part of political agreement between co-legislators,[32] to the acclaim of open-source advocates.[5] As Mike Milinkovich, executive director of the Eclipse foundation,[33] wrote:[32]

The revised legislation has vastly improved its exclusion of open source projects, communities, foundations, and their development and package distribution platforms. It also creates a new form of economic actor, the “open source steward,” which acknowledges the role played by foundations and platforms in the open source ecosystem. This is the first time this has appeared in a regulation, and it will be interesting to see how this evolves.

— Mike Milinkovich, "Good News on the Cyber Resilience Act"

See also

References

  1. ^ a b "Cyber Resilience Act | Shaping Europe's digital future". digital-strategy.ec.europa.eu. 15 September 2022. Retrieved 17 May 2023.
  2. ^ a b c d "EU cyber-resilience act | Think Tank | European Parliament". www.europarl.europa.eu. Retrieved 17 May 2023.
  3. ^ a b Sawers, Paul (18 April 2023). "In letter to EU, open source bodies say Cyber Resilience Act could have 'chilling effect' on software development". TechCrunch. Retrieved 17 May 2023.
  4. ^ "Press corner". European Commission - European Commission. Retrieved 2024-01-21.
  5. ^ a b Phipps, Simon (2024-02-02), "The European regulators listened to the Open Source communities!", Voices of Open Source, Open Source Initiative, retrieved 2024-02-21
  6. ^ "European Cyber Resilience Act (CRA)". www.european-cyber-resilience-act.com. Retrieved 2024-01-21.
  7. ^ Car, Polona; De Luca, Stefano (May 2023). EU cyber-resilience act — Briefing EU Legislation in Progress — PE 739.259. Strasbourg, France: European Parliamentary Research Service (EPRS), European Parliament. Retrieved 25 September 2023.
  8. ^ a b "EU pitches cyber law to fix patchy Internet of Things". POLITICO. 15 September 2022. Retrieved 17 May 2023.
  9. ^ "Commission presents Cyber Resilience Act targeting Internet of Things products". www.euractiv.com. 15 September 2022. Retrieved 17 May 2023.
  10. ^ a b Lomas, Natasha (15 September 2022). "The EU unboxes its plan for smart device security". TechCrunch. Retrieved 17 May 2023.
  11. ^ a b c d Chee, Foo Yun (15 September 2022). "EU proposes rules targeting cybersecurity risks of smart devices". Reuters. Retrieved 17 May 2023.
  12. ^ Gross, Anna (9 November 2022). "Why a clear cyber policy is critical for companies". Financial Times. Retrieved 17 May 2023.
  13. ^ a b c Dobberstein, Laura. "EU puts manufacturers on hook for smart device security". www.theregister.com. Retrieved 17 May 2023.
  14. ^ a b c Starks, Tim (3 January 2023). "Analysis | Europe's cybersecurity dance card is full". Washington Post. Retrieved 17 May 2023.
  15. ^ "EU chief announces cybersecurity law for connected devices". www.euractiv.com. 16 September 2021. Retrieved 17 May 2023.
  16. ^ a b c "Swedish Council presidency presents first full rewrite of Cyber Resilience Act". www.euractiv.com. 25 April 2023. Retrieved 17 May 2023.
  17. ^ Security, Help Net (2 March 2023). "Cyber resilience in focus: EU act to set strict standards". Help Net Security. Retrieved 18 May 2023.
  18. ^ "Cyber-resilience Act signals big change in commercial software development". The Irish Times. Retrieved 17 May 2023.
  19. ^ "Cyber Resilience Act: Leading MEP proposes flexible lifetime, narrower reporting". www.euractiv.com. 31 March 2023. Retrieved 17 May 2023.
  20. ^ "EU lawmakers kick off cybersecurity law negotiations for connected devices". www.euractiv.com. 17 May 2023. Retrieved 18 May 2023.
  21. ^ "EU lawmakers set to close deal on cybersecurity law for connected devices". www.euractiv.com. 2023-07-04. Retrieved 2023-07-06.
  22. ^ a b c d "Cyber Resilience Act – Read the current state of play". Cyber Resilience Act. Retrieved 2023-07-13.
  23. ^ "EU Council cuts down special product categories in cybersecurity law". www.euractiv.com. 2023-07-10. Retrieved 2023-07-13.
  24. ^ "EU ambassadors set to endorse new cybersecurity law for connected devices". www.euractiv.com. 2023-07-17. Retrieved 2023-07-20.
  25. ^ a b c Vaughan-Nichols, Steven J. "EU attempts to secure software could hurt open source". www.theregister.com. Retrieved 17 May 2023.
  26. ^ a b Harris, Jacob (17 April 2023). "Open Letter to the European Commission on the Cyber Resilience Act". Eclipse News, Eclipse in the News, Eclipse Announcement. Retrieved 22 May 2023.
  27. ^ van Gulik, Dirk-Willem (2023-07-18). "Save Open Source: The Impending Tragedy of the Cyber Resilience Act". Blog of the Apache Software Foundation. Retrieved 2023-09-22.
  28. ^ Phipps, Simon (24 January 2023). "What is the Cyber Resilience Act and why it's dangerous for Open Source". Voices of Open Source. Open Source Initiative. Retrieved 18 May 2023.
  29. ^ Stampelos, Tasos (30 July 2023). "Mozilla weighs in on the EU Cyber Resilience Act". Open Policy & Advocacy. Retrieved 30 July 2023.
  30. ^ "Europe's cyber security strategy must be clear about open source | Computer Weekly". ComputerWeekly.com. Retrieved 17 May 2023.
  31. ^ Statement about the EU Cyber Resilience Act
  32. ^ a b Milinkovich, Mike (2023-12-19), "Good News on the Cyber Resilience Act", Life at Eclipse, retrieved 2024-02-21
  33. ^ The Eclipse Foundation Showcases Successful Open Source Industry Collaborations for 2023; Looks Ahead to Additional Growth in 2024, Eclipse Foundation Canada, 2024-02-20, retrieved 2024-02-21

External links

Categories