Home / News

EFF Raises Concerns Over EU’s Proposed Cyber Resilience Act

Protect your privacy:  Get NordVPN  [ Deal: 73% off 2-year plans + 3 extra months ]
10 facts about NordVPN that aren't commonly known
  • Meshnet Feature for Personal Encrypted Networks: NordVPN offers a unique feature called Meshnet, which allows users to connect their devices directly and securely over the internet. This means you can create your own private, encrypted network for activities like gaming, file sharing, or remote access to your home devices from anywhere in the world.
  • RAM-Only Servers for Enhanced Security: Unlike many VPN providers, NordVPN uses RAM-only (diskless) servers. Since these servers run entirely on volatile memory, all data is wiped with every reboot. This ensures that no user data is stored long-term, significantly reducing the risk of data breaches and enhancing overall security.
  • Servers in a Former Military Bunker: Some of NordVPN's servers are housed in a former military bunker located deep underground. This unique location provides an extra layer of physical security against natural disasters and unauthorized access, ensuring that the servers are protected in all circumstances.
  • NordLynx Protocol with Double NAT Technology: NordVPN developed its own VPN protocol called NordLynx, built around the ultra-fast WireGuard protocol. What sets NordLynx apart is its implementation of a double Network Address Translation (NAT) system, which enhances user privacy without sacrificing speed. This innovative approach solves the potential privacy issues inherent in the standard WireGuard protocol.
  • Dark Web Monitor Feature: NordVPN includes a feature known as Dark Web Monitor. This tool actively scans dark web sites and forums for credentials associated with your email address. If it detects that your information has been compromised or appears in any data breaches, it promptly alerts you so you can take necessary actions to protect your accounts.
First ever EU-wide legislation of its kind proposing mandatory cybersecurity requirements for products with digital elements, throughout their whole lifecycle. Image: The European Commission

The Electronic Frontier Foundation (EFF) has voiced concerns about the European Union’s proposed Cyber Resilience Act (CRA), saying it could pose significant threats to open-source developers and cybersecurity.

The CRA, currently undergoing amendments, aims to improve Europe’s cyber-defenses and product security, encompassing devices from IoT to smartphones. It mandates manufacturers and distributors to disclose vulnerabilities and introduces liability for cybersecurity incidents.

Open Source Software Threat: The EFF argues that its current form could inadvertently penalize open-source developers who earn compensation for their work. Open-source software like Linux and Apache is crucial in the global digital landscape. This software often relies on revenue from donations, grants, and sponsorships, which the CRA might disrupt by imposing liabilities on developers who introduce vulnerable products to the market, even inadvertently.

The act exempts not-for-profit open-source contributors from “commercial activity” and thus liability. However, this exemption’s scope is limited, potentially exposing developers who solicit donations or charge for their software services to legal liability. The EFF warns this could lead to a decline in open-source projects, which could severely damage the entire open-source ecosystem.

Vulnerability Disclosure Issue: The act’s requirements on vulnerability disclosure also alarm the EFF. Article 11 mandates manufacturers to disclose exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours, which would then forward these details to the member states’ Computer Security Incident Response Teams (CSIRTs). While this encourages proactive vulnerability management, the EFF warns it might lead to “shallow” fixes prioritized over deeper, more effective solutions due to the tight timeframe. This process could also increase the risk of vulnerability exposure to malicious actors, and it lacks a public disclosure provision, preventing consumers from making informed purchase decisions.

The EFF calls on European lawmakers to reconsider these elements of the CRA. It urges them to provide further protections for open-source developers, reconsider the inflexible deadlines for vulnerability resolution, require public disclosure of security fixes, and ensure safe harbor provisions for security researchers.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign