Reactions to the Cyber Resilience Act

Update: Graduated to the OSI Blog

The European Commission's proposed Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software.  The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs). Unfortunately as drafted it may harm Open Source, and perhaps all other non-industrial software.
Cast iron sign support on a wall, with a silver-painted bird at the end and the silhouette of a black-painted cat about to pounce from the shadows.

There were 131 responses to the proposed text that the Commission has sent to the Parliament, including one from the Open Source Initiative (OSI). Of those, 18 responses – representing a significant proportion of Europe's software industry – shared OSI's concerns to some degree. Here are some sample points from the responses:

Open Source Foundations

Open Source Initiative (OSI)

Open Forum Europe (OFE — with OSI, Eclipse, APELL, CNLL, OSBA) 

The Document Foundation (LibreOffice)

NLNet Labs (with CZ.NIC, ISC, NetDEF)

Trade Associations

Developers Alliance


ITI – Information Technology Industry Council


Japan Business Council in Europe (JBCE)









#CRA #OpenSource #Policy

To discuss this post please reply from Mastodon etc. (search for the URL) & include as WriteFreely still doesn't display replies. More.