The role of the Cyber Resilience Act for Free Software
While the implementation of the EU Cyber Resilience Act is currently
underway, several questions remain open, especially regarding its
implications for the Free Software landscape. The relationship between
Free Software projects, potential stewards, and manufacturers hangs only
partially defined, and official guidance will help.
Source: BSI/Bernd Lammel/bundesfoto
The Cyber Resilience Act (CRA) sets out the requirements for the
development of secure products with digital elements. The aim is to
ensure that hardware and software products in the EU market are shipped
with a guarantee to fix arising security vulnerabilities and to minimise
them. To achieve this, manufacturers must take security seriously
throughout the entire life cycle of a product. This enables users to
consider cybersecurity when selecting and using products with digital
elements. Ultimately, the products are to be labelled with CE marking,
and the enforcement of conformity of products sold on the EU market must
be checked by market surveillance authorities.
In this way, the CRA aims to strengthen the resilience of critical
information systems and networks in the EU.
The implementation of the CRA is currently raising many questions for
those affected and is leading to discussions and uncertainty. Through a
workstream within the BSI project ‘Dialogue for Cybersecurity’, the Free Software Foundation
Europe gained insights into the EU Cyber Resilience Act and its
implications, which it used to contribute to the discussion process on
its implementation. In doing so, we focused in particular on ambiguities
in the area of respective roles and how these will interact in the
future.
The core of the workstream was the preparation, implementation and
evaluation of a stakeholder survey, that split in three different
questionaries: potential Free Software stewards, one for Free Software
projects, and manufacturers
To this end,
we first identified potential stakeholders, so individual and groups,
that were contacted and asked for their assessments of potentially open
questions in connection with the CRA. We then user their responses to
prepare the questionnaires and distributed them widely to potential
stakeholders, involving various groups and stakeholders that are already
working intensively on the CRA, and we evaluated the results
accordingly. Afterwards we used the results of the stakeholder survey to
develop a set of recommendations for the implementation of the CRA.
The time frame for responding to the questionnaires was two months
and it was explicitly stated that not all questions had to be answered.
This resulted in 345 responses, 83 of which completed the full
questionnaire(s). The aim was quality, not quantity, and accordingly,
familiarity with the CRA was crucial, not the mere number of
participants with vague fears.
The results of the survey show that many stakeholders do not yet know
exactly what role they will play in the CRA. The steward role in
particular has so far not been clearly defined. Hence, the Commission’s
guidance is expected to provide clarity here. It is also important not
to overwhelm Free Software developers with regulations, but to allow
them to continue their work – software development. Another important
aspect is that manufacturers need legal certainty when integrating Free
Software components into their products.
In order to implement the CRA, tools (e.g. for testing, reporting,
and evidence management) are needed for all stakeholders, as well as
financial support for potential stewards. This should simplify processes
and make them practicable, enabling stakeholders to achieve greater
cybersecurity without risking any loss of quality in the actual
development process. The survey also revealed that respondents would
like to see more standardisation in the requirements set by regulatory
authorities.
Moreover, potential stewards in particular are wondering how they
should deal with the possible costs they may face. This question is also
relevant for manufacturers, who have no connection to these projects, as
manufacturers tend not to want to fork projects. Therefore, a method
must be found to provide funds and/or necessary resources to potential
stewards. In this context, the question also arises of how to deal with
the time dimension of CVE fixes without overburdening projects, and how
to deal with projects that are no longer actively maintained.
And finally, another issue has also come up with regard to Article 25
and the certification of components. This problem area was only
addressed marginally in the present questionnaire, but will play a
decisive role in the coming months. The responses to the questionnaire
suggest that this issue needs to be addressed in detail, as there is
also a great deal of uncertainty in this area. For example, it arises
questions about who can carry out attestation, how this can be done and
how it will be financed.
The results of the workstream, in particular the survey, will be made
available to the European Commission and market surveillance authorities
in the further course of the process to ensure that the issues and
problem areas are raised are addressed.
You can access the results of the survey here.
You can find the final report of the project here (PDF, only in German).
The results of the workstream were also presented at FrOSCon and Datenspuren.
During the project, we also invited experts to give presentations on the CRA and its current state:
Support FSFE
Anmelden
