The role of the Cyber Resilience Act for Free Software
While the implementation of the EU Cyber Resilience Act is currently underway, several questions remain open, especially regarding its implications for the Free Software landscape. The relationship between Free Software projects, potential stewards, and manufacturers hangs only partially defined, and official guidance will help.
The Cyber Resilience Act (CRA) sets out the requirements for the development of secure products with digital elements. The aim is to ensure that hardware and software products in the EU market are shipped with a guarantee to fix arising security vulnerabilities and to minimise them. To achieve this, manufacturers must take security seriously throughout the entire life cycle of a product. This enables users to consider cybersecurity when selecting and using products with digital elements. Ultimately, the products are to be labelled with CE marking, and the enforcement of conformity of products sold on the EU market must be checked by market surveillance authorities.
In this way, the CRA aims to strengthen the resilience of critical information systems and networks in the EU.
The implementation of the CRA is currently raising many questions for those affected and is leading to discussions and uncertainty. Through a workstream within the BSI project ‘Dialogue for Cybersecurity’, the Free Software Foundation Europe gained insights into the EU Cyber Resilience Act and its implications, which it used to contribute to the discussion process on its implementation. In doing so, we focused in particular on ambiguities in the area of respective roles and how these will interact in the future.
The core of the workstream was the preparation, implementation and evaluation of a stakeholder survey, that split in three different questionaries: potential Free Software stewards, one for Free Software projects, and manufacturers
To this end, we first identified potential stakeholders, so individual and groups, that were contacted and asked for their assessments of potentially open questions in connection with the CRA. We then user their responses to prepare the questionnaires and distributed them widely to potential stakeholders, involving various groups and stakeholders that are already working intensively on the CRA, and we evaluated the results accordingly. Afterwards we used the results of the stakeholder survey to develop a set of recommendations for the implementation of the CRA.
The time frame for responding to the questionnaires was two months and it was explicitly stated that not all questions had to be answered. This resulted in 345 responses, 83 of which completed the full questionnaire(s). The aim was quality, not quantity, and accordingly, familiarity with the CRA was crucial, not the mere number of participants with vague fears.
The results of the survey show that many stakeholders do not yet know exactly what role they will play in the CRA. The steward role in particular has so far not been clearly defined. Hence, the Commission’s guidance is expected to provide clarity here. It is also important not to overwhelm Free Software developers with regulations, but to allow them to continue their work – software development. Another important aspect is that manufacturers need legal certainty when integrating Free Software components into their products.
In order to implement the CRA, tools (e.g. for testing, reporting, and evidence management) are needed for all stakeholders, as well as financial support for potential stewards. This should simplify processes and make them practicable, enabling stakeholders to achieve greater cybersecurity without risking any loss of quality in the actual development process. The survey also revealed that respondents would like to see more standardisation in the requirements set by regulatory authorities.
Moreover, potential stewards in particular are wondering how they should deal with the possible costs they may face. This question is also relevant for manufacturers, who have no connection to these projects, as manufacturers tend not to want to fork projects. Therefore, a method must be found to provide funds and/or necessary resources to potential stewards. In this context, the question also arises of how to deal with the time dimension of CVE fixes without overburdening projects, and how to deal with projects that are no longer actively maintained.
And finally, another issue has also come up with regard to Article 25 and the certification of components. This problem area was only addressed marginally in the present questionnaire, but will play a decisive role in the coming months. The responses to the questionnaire suggest that this issue needs to be addressed in detail, as there is also a great deal of uncertainty in this area. For example, it arises questions about who can carry out attestation, how this can be done and how it will be financed.
The results of the workstream, in particular the survey, will be made available to the European Commission and market surveillance authorities in the further course of the process to ensure that the issues and problem areas are raised are addressed.
You can access the results of the survey here.
You can find the final report of the project here (PDF, only in German).
The results of the workstream were also presented at FrOSCon and Datenspuren.
During the project, we also invited experts to give presentations on the CRA and its current state: