heads-up: EU Cyber Resilience Act

[madires]

On Tuesday (September 13) the European Commission plans to publish the Cyber Resilience Act (CRA). The CRA will most likely impact anything connected (software, hardware and services). The basic idea is great, but some points are overdoing things and might do more harm than good.

[Bud]

At least they are rambling about chips, almost confirming what I've always suspected, that the chips shortage is because of sudden increase in chips consumption for military and surveillance.

Not only that, I think when chip shortage will subside we will not have access to many of the high end nomenclature anymore. Things like low to mid grade FPGA will be available but the old good times when ADI gave you samples of their latest high speec ADCs and ZigaHerz mixers will be gone. It will be purposeful limitations who is allowed to buy what.

[pcprogrammer]

...a Ministry of Truth...

That is a contradiction in terms

[madires]

I've read
https://www.european-cyber-resilience-act.com/
and it's tons and tons of bloatware rambling.

That's a marketing website of some cybersecurity company.

[golden_labels]

Thanks for the heads-up. I nearly forgotten about that.

Unfortunately, when it hits EUParl, I can do little as a Polish citizen. My EFA candidate did not get her seat, and the choice is basically between ECR and EPP. ECR MEPs will likely ignore any communication. EPP MEPs are of local opposition and are now focused on putting themselves on antipodes of anything PiS says, not very interested in other topics. I suppose local NGOs will try to poke EPP nonetheless, but even their chances are low.

[SiliconWizard]

This has got to fricking stop if you ask me. (I know you didn't.)

[Ed.Kloonk]

This has got to fricking stop if you ask me. (I know you didn't.)

Neither did the law makers, apparently.

 

[golden_labels]

Neither did the law makers, apparently.

Indeed they did not. They did not, because they could not. They could not, because the legislative procedure did not start yet.

However, which may surprise you and despite there is no such requirement, EC asked for input.

[madires]

Update:
- EU Cyber Resilience Act https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
- Proposal for downloading: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Edit: It seems that the proposal has no exemptions for open source, i.e. same rules for companies and open source projects.

[tszaboo]

The new revision of the RED directive will include encryption of the radio interface as requirement in many (all?) cases.
Meaning that you cannot really place a product on the market without those measures in place. At least after if it is harmonized.
It's a good change. As a customer, you cannot evaluate cybersecurity. You don't know if some idiot left "admin 1234" as default password on your device. There is just no way to do that.

Edit: It seems that the proposal has no exemptions for open source, i.e. same rules for companies and open source projects.

Why exactly should we leave exceptions for open source?

[RoGeorge]

Update:
- EU Cyber Resilience Act https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
- Proposal for downloading: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Edit: It seems that the proposal has no exemptions for open source, i.e. same rules for companies and open source projects.

Thanks for the links.

There is something about open source at point 10, page 16 of 87 in the "Proposal for a Regulation on cybersecurity requirements for products with digital elements - Cyber resilience Act (.pdf)"

In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation. This is in particular the case for software, including its
source code and modified versions, that is openly shared and freely accessible, usable,
modifiable and redistributable.

[madires]

Why exactly should we leave exceptions for open source?

The additional resources required to comply with the CRA would discourage open source projects.

[tszaboo]

Why exactly should we leave exceptions for open source?

The additional resources required to comply with the CRA would discourage open source projects.

So if you want to sell open source products to the European market, then all bets are off and everything goes?

[madires]

So if you want to sell open source products to the European market, then all bets are off and everything goes?

If was talking about developing/maintaining open source, not selling products containing open source. Selling products is a commercial activity.

[golden_labels]

If was talking about developing/maintaining open source, not selling products containing open source. Selling products is a commercial activity.

But the proposal excludes software distributed outside of the commercial activity from regulation’s scope — as RoGeorge has noticed. Therefore tszaboo may narrow the discussion to commercial activity involving FOSS. The other option is off-topic in the context of this regulation.

In its current form, I see little risk to open source either. The exemption in recital 10 seems to be overly protective or an attempt to avoid the subject altogether. After glimpsing over the proposal, the main concern would be jurisdiction,⁽¹⁾ the 24h vulnerability notification period, red tape in a dynamic and shapeless development environment, and adequacy and enforceability of penalties.

But in general I do not oppose the idea itself, even if applies to FOSS products (commercial or not). A random consumer coming to e.g. https://www.libreoffice.org/ will assume it’s offering a normal product, will not know about the ideas behind this package, and may have exactly the same expectations as if they use any other office software. From that perspective they should have the same protections. In particular since those are absolute basics: not meeting some of the requirements is not an overlook — it’s gross negligence at least. So the primary reason for my concerns is the very nature of open culture, which makes it an activity different from other kinds of manufacturing. Even if the final outcome may sometimes look similar. But that applies only to FOSS — for example properietary freeware is not sharing the same characteristics.

Leaving the FOSS topic, in general the regulation seems fine. A few points:

• I am not sure if that really had to be a regulation instead of a directive.
• The 24h vulnerability notification period is unreasonable. That requires having a 24/7 security reponse team, which for most entities is neither possible nor needed.
• The regulation misses a clear provision, that would require a manufacturer to allow effective product audits and permit audits in the case of refusal. It is also a missed opportunity to give the right to perform security audits of products and publishing findings.
• No mention of a mechanism for exchanging, storing and anouncing incidents: neither in the regulation, nor as a delegation to separate acts. Not strictly required, but it was a good place to build EU-wide system for that.

⁽¹⁾ FOSS is inherently and overwhelmingly cosmopolitan, compared to most other software.

[SiliconWizard]

All this is good news for MS.
But I'm sure no amount of lobbying was involved in this proposal. It never happens!

[tszaboo]

So if you want to sell open source products to the European market, then all bets are off and everything goes?

If was talking about developing/maintaining open source, not selling products containing open source. Selling products is a commercial activity.

Since when do you require CE marking on a thing, that you are not selling?
This is easy. If you sell something here, it needs CE marking, and you need to follow the rules. If you don't sell it, you don't.

[golden_labels]

This is easy. If you sell something here, it needs CE marking, and you need to follow the rules. If you don't sell it, you don't.

The CE marking is needed if a product is placed on the market. The way it enters the market is irrelevant. The same applies to being obligated to follow the regulation.