The Electronic Frontier Foundation (EFF) has voiced concerns about the European Union’s proposed Cyber Resilience Act (CRA), saying it could pose significant threats to open-source developers and cybersecurity.

The CRA, currently undergoing amendments, aims to improve Europe’s cyber-defenses and product security, encompassing devices from IoT to smartphones. It mandates manufacturers and distributors to disclose vulnerabilities and introduces liability for cybersecurity incidents.

Open Source Software Threat: The EFF argues that its current form could inadvertently penalize open-source developers who earn compensation for their work. Open-source software like Linux and Apache is crucial in the global digital landscape. This software often relies on revenue from donations, grants, and sponsorships, which the CRA might disrupt by imposing liabilities on developers who introduce vulnerable products to the market, even inadvertently.

The act exempts not-for-profit open-source contributors from “commercial activity” and thus liability. However, this exemption’s scope is limited, potentially exposing developers who solicit donations or charge for their software services to legal liability. The EFF warns this could lead to a decline in open-source projects, which could severely damage the entire open-source ecosystem.

Vulnerability Disclosure Issue: The act’s requirements on vulnerability disclosure also alarm the EFF. Article 11 mandates manufacturers to disclose exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA) within 24 hours, which would then forward these details to the member states’ Computer Security Incident Response Teams (CSIRTs). While this encourages proactive vulnerability management, the EFF warns it might lead to “shallow” fixes prioritized over deeper, more effective solutions due to the tight timeframe. This process could also increase the risk of vulnerability exposure to malicious actors, and it lacks a public disclosure provision, preventing consumers from making informed purchase decisions.

The EFF calls on European lawmakers to reconsider these elements of the CRA. It urges them to provide further protections for open-source developers, reconsider the inflexible deadlines for vulnerability resolution, require public disclosure of security fixes, and ensure safe harbor provisions for security researchers.