Europe's Cyber Resilience Act (CRA) has been a lightning rod of hope and controversy for some time. The proposal, which would regulate cybersecurity requirements for products with digital elements, is meant to bolster rules for hardware and software and help enhance security in a world of evolving threats.
The CRA legislation targets a broad array of categories, including Internet of Things (IoT) devices, computers, smartphones, and applications – and institutes a range of new requirements for manufacturers to improve their product security.
At the same time, the CRA has been viewed by some as a threat to open source software, which has enabled innovation and fueled the growth of the modern internet. Open source projects like Linux and Apache are used freely and integrated into a bevy of products, where they power digital services for billions of users across the globe.
Given these concerns, representatives from Drupal, Joomla, TYPO3, and WordPress communities have banded together to address EU legislators amid the ongoing CRA amendments process. This week, the consortium penned an open letter highlighting the possible impacts of the CRA on Free and Open Source Software (FOSS) Content Management Systems (CMS).
Combined, these four CMSes power more than half of all websites around the world and play a critical role in driving a competitive European economy and enabling cross-border collaboration.
One of the core issues with the CRA deals with proposed liabilities for commercial activity that results in security vulnerabilities. This would impact open source developers who solicit support or donations, making them responsible for damages due to a security issue even if they didn't produce the product itself. Such costs could put an unfair burden on smaller shops and individual developers that can't afford the operational and administrative costs to meet these requirements.
There's also chatter about the risks involved with a proposed 24-hour reporting mandate for disclosing actively exploited vulnerabilities – which may, ironically, result in more threats from heightened visibility and inadequate remediations.
It goes without saying that open source content management systems have profoundly impacted the evolution of digital experiences. WordPress – the most popular in the field – powers roughly 810 million websites globally, representing 43% of the overall category. CRA could irrevocably change how open source CMS platforms are used in Europe, sending a ripple effect across the software industry with myriad consequences.
To be fair, the CRA isn't being demonized by this consortium of open source projects. As advocates for enhanced security in European hardware and software, Open Source Matters (a non-profit supporting Joomla) and the FOSS CMS communities behind this letter commend the legislative goals of the CRA. However, there are concerns regarding the potential negative impact of the proposed regulations on FOSS development and innovation within the EU.
"Individuals, SMEs, and institutions will be hampered either by enormous administrative burdens or a chilling effect on their activities (and a potential rush towards the American Tech Giants) for fear of risking penalties under the CRA. [...]", the letter states. "As mentioned by many other commenters...large and enterprise-class businesses may be the only ones able to profitably sustain the administrative burden of CRA compliance, quelling EU innovation, entrepreneurship, and economic livelihoods."
The letter proposes solutions to ensure continued success and alignment with the EU's goals. This includes clarifying the CRA’s exemption for FOSS and supporting users’ rights and freedoms. The letter also emphasizes the alignment of FOSS with EU core values – including human dignity, freedom, democracy, and equality.
The proposed CRA regulation joins a platform of digital governance that the EU is spearheading. This includes the General Data Protection Regulation (GDPR), which was adopted in 2016 to provide a strong data privacy framework for European citizens.
GDPR was fully enacted in 2018, and has vigilantly handed down fines to entities small and large. The CRA is following a similar track, giving the EU's cybersecurity agency real teeth to enforce policies as part of its new charter.
Open Source Matters and the Inter-CMS Working Group (ICWG) have invited EU Commission members and other stakeholders to participate in a seminar in Brussels early this fall, fostering a collaborative dialogue to address the concerns raised. The seminar presents a cooperative motion from the coalition of open source communities, with the hope that friendly dialogue and collaboration might yield changes to the proposed legislation.
The letter was signed by:
As events unfold, more information about the debate and the proposed seminar will be shared.
To read or download the full open letter, visit https://www.joomla.org/announcements/general-news/5891-open-letter-foss-cms-cyber-resilience-act.html
Open Source Matters (OSM) is a non-profit organization that supports and promotes the Joomla! open-source project. Its mission is to empower and unite a global community of Joomla users and contributors to cultivate and sustain an innovative and reliable content management system. For more information, visit www.opensourcematters.org.
Drupal, Joomla, TYPO3, and WordPress are leading open-source Content Management Systems (CMS) that have significantly impacted the digital landscape. Each platform boasts its unique approach to web content management, catering to diverse user needs. Despite their different approaches to building websites, they share common values, emphasizing collaboration, accessibility, and community-driven development. Together, their collective strength fosters innovation and empowers website creators worldwide.