The European Union’s Parliament and Council have recently reached a consensus on the Cyber Resilience Act (CRA), paving the way for its final approval and implementation, along with provisions specifically exempting open-source software. The CRA, initially proposed by the European Commission in September 2022, mandates comprehensive cybersecurity requirements for a wide range of hardware and software products, as exemplified by the EU Commission’s reference to items ranging from baby monitors to routers.

The act will become effective 20 days after its endorsement by the Parliament and the Council. It sets ambitious objectives for manufacturers and developers, including a 24-hour window for reporting actively exploited security vulnerabilities, a five-year obligation for security updates, and extensive documentation of security features.

Manufacturers, importers, and distributors will have three years to comply with these regulations, failing which they could face penalties of up to €15 million or 2.5 per cent of their total global annual revenue.

However, the CRA had raised concerns, particularly regarding its potential impact on open-source software, which is often managed by small teams despite its significant role in larger products. The stringent requirements for patching, documentation, and disclosure posed challenges for open-source maintainers.

These concerns were highlighted as recently as October, indicating that the Commission had largely overlooked the open-source community in the Act’s finalisation. Fortunately, the latest version of the CRA addresses these concerns, explicitly stating that free and open-source software developed or supplied outside of commercial activities will not fall under this regulation.

Nicola Danti, a leading Member of the European Parliament (MEP) involved in the CRA agreement, emphasised the importance of supporting micro and small enterprises, engaging stakeholders more effectively, and responding to the open-source community’s worries. Danti highlighted that a collective approach is crucial for successfully confronting the cybersecurity challenges that lie ahead.