Expect to see open source “not approved for the EU” if the EU CRA goes forward.
With the adoption of open source software into the fabric of societies, the ecosystem needs to improve how we protect downstream users with regards to cyber security. The OpenSSF is taking that challenge head-on. Many other efforts are underway to improve security in open source software critical to the world, starting at the beginning of the software supply chain in the projects themselves. The open source ecosystem has been at the forefront of software security - not laggards. It’s been downstream product implementations that generally lack secure software practices. Software provided in devices is often out of sync with the current upstream projects, vendors don’t provide software updates, and products are often released to the market with insecure configurations.
Open source has enabled global ecosystems and small and medium enterprises to rapidly prototype and move to production on software and solutions that we see throughout everyday life. Most startups and innovators could not build products with digital elements without open source. This opportunity exists because anyone can use open source software under an open source license without restrictions. In exchange, the companies and developers producing open source software make it available “as is” and expect downstream developers to ensure its fitment for their purpose and product use cases. End users can support themselves or obtain the software from any number of commercially available sources that are expected to provide support and security updates. The CRA upends this value exchange and tries to place liability upstream in the open source project for downstream security issues.
While most governments worldwide have taken a collaborative approach to improving software supply chain security, the European Union is poised to take a drastic, regulation-driven approach that is disconnected from who builds open source software and how the process works. Despite nearly every corner of the open source ecosystem objecting vocally, the EU trilogue will soon convene to make a decision that could upend the global supply chain of open source software.
Our Linux Foundation Europe community has been trying every possible path to open doors to convey a better understanding of how the open source process works. They have pointed out real issues with the current drafts of the CRA under consideration. Oddly, the only organizations likely to benefit from the CRA are very large tech companies (mostly outside the EU) who will be the only ones with the market power and engineering resources to comply with the CRA fully.
To be clear, global open source software projects will be unable to strictly comply with provisions contained in current drafts of the CRA. Much of the world's open source software will likely soon be either 1) blocked for distribution in the EU or 2) publicly accessible with caveats similar to “this software is not appropriate or approved for use or distribution in the European Union market.”
It is unfortunate that we are here. A collaborative effort between regulators and the communities and foundations working deeply in open source could have resulted in a better security outcome for all users and commercial providers of solutions built from open source. We would welcome consultation and the opportunity to shape security regulation together. However, as the EU moves to adoption, we have run out of time. We need all users, companies, and organizations reliant on open source software to make their voices heard. Please contact your MEPs, your policy leads, and your government leadership and make it known that the CRA will not improve security and will negatively impact small and medium European Union companies and users.