As a tech aficionado and a FOSS (Free Open Source Software) advocate, I am concerned about a proposed European Union law known as the Cyber Resiliency Act (CRA) and that it could have a negative impact on the open source software community.
The CRA is a new legal framework that aims to improve software and hardware security by allowing the EU to stamp a CE sign on software products, providing a common metric for judging a project’s security and better information for consumers on the security status of various pieces of software.
While this may sound like a good idea, the problem is that this legal framework could make open source developers liable for any security issues in their software, despite the fact that their current licenses clearly state that the software is provided “as is” without any warranty.
The CRA could also restrict the use of unfinished software for testing purposes only, which in turn would make it difficult for open source developers to release beta versions of their software.
The Open Source Initiative has submitted feedback to the European Commission in an effort to get open source software excluded from the scope of this new regulation, but it remains to be seen whether this will happen.
While I understand the importance of software security, I believe that this proposed law could have a negative impact on the open source community and stifle innovation in the EU.
I hope that the EU will take into consideration the feedback from the open source community and make necessary adjustments to the proposed law to ensure that open source software is not negatively affected.
I am at the crux of a corporate decision as to whether or not to implement an open source framework for a global business workflow solution. If this framework suddenly becomes unavailable because the developers are forced to shoulder the responsibility and risk of framework security we will be left with having to develop from the ground up – a costly and time-consuming alternative.