Cyber Resilience Act: it’s time to act to #FixTheCRA!

The European Union’s Cyber Resilience Act (CRA) legislation is making its way through the legislative process, currently being discussed within the European Parliament (Rapporteur is Nicola Danti) and the European Council. It will soon enter the EU trilogue phase, which is the last step before the EU parliament will vote on the CRA in the plenary. The Linux Foundation has provided guidance as to what everyone involved in open source development should know about the CRA, as well as a deeper analysis on whether the Cyber Resilience Act will help the European ICT sector compete. The policy goals of the CRA - reducing vulnerabilities in digital products, ensuring cybersecurity is maintained throughout a product’s life cycle, and enabling users to make informed decisions when selecting and operating them - are widely supported, including by LF Europe. Major concerns remain about how the CRA aims to achieve these goals, especially in the context of the open source ecosystem.

While the Linux Foundation vehemently shares the goal to bolster security of the software supply chain, with the Open Source Security Foundation being the most concrete example of our commitment, there continues to be broad consensus that the way the Act is currently drafted inadvertently risks imposing a major burden on open source contributors and non-profit foundations. If you are not familiar with this, please take a look at the critical responses from many different and diverse open source and industry stakeholders:

• European Parliament’s version of the CRA threatens cybersecurity and open source development (Mozilla)
• The EU's Proposed CRA Law May Have Unintended Consequences for the Python Ecosystem (Python Software Foundation)
• On the Cyber Resilience Act (CRA) in relation to free and open source software (VDA)
• Open-source software vs. the proposed Cyber Resilience Act (NLnet Labs)
• Position on the Cyber Resilience Act (BitKom)
• Cyber Resilience Act: The future of software in the European Union (Sonatype)
• The Eclipse Foundation and Leading Open Source Organisations Deliver Open Letter to European Commission Regarding the Cyber Resilience Act (open letter, signed By Linux Foundation Europe)
• Making the Cyber Resilience Act work for open source software developers (GitHub)
• For more, see The ultimate list of reactions to the Cyber Resilience Act. 
  
  

Linux Foundation Europe, part of the Linux Foundation, a community which maintains the largest shared technology investment in the world, has been active on multiple fronts to prevent the risk of the CRA stifling open source innovation, a pillar the EU itself has identified as critical to achieving its human-centered technology and social goals.

Our response is articulated in 5 areas:

• We work alongside other open source organization under the Open Forum Europe (OFE) auspices to support concrete common sense proposed amendments and engage with policy makers to offer guidance and advise on the functioning of the open source ecosystem.
• We engage with Linux Foundation Europe participants to educate on the potential issues with the legislation and instigate action.
• We co-signed an open letter together with a broad coalition of open source foundations, calling on the EU for a closer collaboration and consultation with open source communities on CRA and on future legislation.
• We organize panel discussions and birds-of-a-feather sessions to discuss the issue with the European Community, for example at Kubecon Europe or at the Open Source Summit Europe in September 2023.
• We are actively working to create venues for cross-foundation collaboration, aimed to provide broad representation of the open source community and an interlocutor for ongoing dialogue with policy makers.

Help us #FixTheCRA!

Today we are calling for the broader community to take immediate action. Whether you are an individual contributor, a corporation contributing to or relying on open source, or a public sector representative, your active participation matters. We encourage you to vocalize your concerns. Below, you can find some sample tweets: