EU Cyber Resilience Act finalized in trilogues

by Florian Idelberger
Cyber Resilience Act finalized
On 1st of December the negotiators between the Commission, Council and the parliament reached an agreement in the trilogues on the final text (not currently publicly available) of the Cyber Resilience Act that was originally proposed by the EU commission on 15th September 2022 and which we reported on previously here.
Update (24.01.2024): The final text of the CRA has been released and can be found here. It has not been officially adopted yet.
Commercial Activity and Making available on the market
Compared to the original proposal, many improvements were made that should accommodate most quirks of the free and open-source development models. Previously, it was anticipated that the exception for open-source software outside of commercial activity “free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this regulation.” in recital 10, would subsume too many funding models under the umbrella of commercial activity. Now the phrase use is “the provision of free and open-source software products with digital elements that are not monetized by their manufacturers is not considered a commercial activity”. This narrows the scope as it focuses on making available on the market as a product, not on making public.
In addition the circumstances of development and how the development was finance should not be taken into account when determining the commercial or not-commercial nature.
“The mere circumstances under which the product has been developed, or how the development has been financed should therefore not be taken into account when determining the commercial or non-commercial nature of [making free and open-source software available on the market].”
Further, products developed by public administrations for their own use are also excepted. This does at least provide some clarifications, though for a full impact assessment we still have to wait for the official final text, as well as ‘implementation standards’ and if necessary court decisions. In either case, as Open Forum Europe remarks, the CRA still is a challenge for all businesses involved in monetizing software or “products with digital elements”.
Open Source Software Stewards
Furthermore, the newest agreement on the CRA introduces of the concept of “Open Source Software Stewards”. This category of actors is supposed to capture foundations and similar entities, which are not producers in a traditional sense but organize development, funding or manage licenses and similar tasks. These are also not traditional for-profit companies, but either foundations or NGOs, which do not directly profit from free- and open-source software development. These entities have an important role for the development of free and open source software, as also echoed by the press release of the Open Source Business Alliance.
For these entities, the newest proposal of the CRA defines lighter rules, that should fit better and not be too onerous. They are not required to label their products with a CE mark, but should still have a security strategy, report security flaws and cooperate with market surveillance authorities. This change is not ideal for these foundations as it still might pose challenging for at least some of them. On the side of the legislators, this classification was also driven by a view that sometimes these foundations are funded at least in part by bigger tech companies, and the fear that such an entity could be used to circumvent all obligations. Because of this, it was very unlikely to have them fully exempted.
In case there are obligations under the CRA, there were also changes, but these are less relevant for most free- and open-source projects now. There are for example still reporting requirements to ENISA and local CSIRTs within 24 hours, which some in the InfoSec community claimed could in some cases actually lead to more exploitation if an attack is made public or could lead to manufacturers that sometimes delay publication on purpose being forced to give this information to other governments too who might exploit that knowledge.
In any case, a collaboration of many pro-free and open-source organizations and also sympathetic ears in the EU organizations have worked hard to lessen the impact of the CRA on the free- and open-source eco-system in the EU. Specific implementation details however and whether or not it improves security products with digital elements remains to be seen.