BLUF: The proposed Cyber Resilience Act (CRA) by the EU aims to bolster cybersecurity for European consumers but poses threats to open source software and cybersecurity researchers.
The EU is currently in the process of amending the proposed Cyber Resilience Act (CRA) to improve cybersecurity and product security for European consumers, including IoT devices, desktop computers, and smartphones. However, the Electronic Frontier Foundation (EFF) warns that the proposed law may penalize open source developers who receive monetary compensation for their work, risking the abandonment of such projects altogether and damaging open source as a whole.
Furthermore, the CRA requires manufacturers to disclose actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours, which may disincentivize deep fixes and expose vulnerabilities to government intelligence agencies and potential hackers. EFF calls for exemptions for open source developers and detailed public disclosure of security fixes to consumers to address these risks.
EFF also joins its partner organization EDRi in calling for a safe harbor for cybersecurity researchers involved in coordinated disclosure practices. A blanket safe harbor across the EU would give security researchers the assurance they need to do the right thing without legal threat.
In summary, while the CRA aims to enhance cybersecurity for European consumers, it must address the concerns of the open source community and security professionals to avoid posing unintended risks in product security and cybersecurity research.