Seven prominent open source foundations have announced their collaboration to establish common specifications and standards in preparation for Europe’s Cyber Resilience Act (CRA), recently adopted by the European Parliament. This move aims to align existing security best practices in open source software development and ensure readiness for the new legislation, which is set to take effect in three years.
The Apache Software Foundation, Blender Foundation, Eclipse Foundation, OpenSSL Software Foundation, PHP Foundation, Python Software Foundation, and Rust Foundation have joined forces to leverage their collective resources. Their goal is to address concerns surrounding the software supply chain and enhance cyber resilience in the wake of the CRA.
With estimates suggesting that up to 90% of modern software comprises open source components, the CRA seeks to enforce cybersecurity standards for internet-connected products sold within the European Union. It mandates manufacturers to stay updated with the latest patches and security updates or face penalties, including fines of up to €15 million or 2.5% of global turnover.
Initially met with criticism from various industry bodies, including open source organizations, the CRA raised concerns about potential liabilities for open source developers. However, subsequent revisions to the legislation offered clarifications and exemptions for non-commercial projects, alleviating some of the apprehensions.
Despite its approval, the CRA won’t be enforced until 2027, allowing stakeholders to align with its requirements and address implementation challenges. The collaboration among the seven open source foundations aims to facilitate this transition by establishing unified standards and processes across the open source community.
Many open source projects currently lack comprehensive documentation, hindering audits and complicating compliance efforts. By harmonizing practices and terminology, the collaborative effort seeks to streamline cybersecurity processes and support manufacturers and developers in meeting CRA obligations.
The Eclipse Foundation, serving as the driving force behind the collaboration in Brussels, brings together a diverse range of open source projects under its umbrella. With backing from industry giants like Huawei, IBM, Microsoft, Red Hat, and Oracle, the foundation is well-positioned to lead this initiative and foster cybersecurity resilience within the open source ecosystem.
As global regulatory scrutiny on software security intensifies, the collaboration underscores the importance of standardized cybersecurity practices in open source development. By working together, the participating foundations aim to strengthen the resilience of the software supply chain and uphold cybersecurity standards in the face of evolving regulatory landscapes.
