Light Dark
February 19, 2024 By Mark Stone 3 min read
News

Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents.

While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new legislation that specifically addresses cyber resilience?

The European Union’s recent amendment to the Cyber Resilience Act (CRA) has sent ripples through the tech world. The legislation was proposed in September 2022 and achieved political agreement with a controversial amendment in December 2023. The act aims to bolster cybersecurity across the EU but has taken an unexpected swerve by redefining the very essence of open-source software.

The amendment redefines open-source software, which could signal a potential paradigm shift in how open-source software is developed, shared and perceived in the European digital landscape.

The tech industry’s reaction has been an unholy recipe of cautious optimism mixed with apprehensive scrutiny, reflecting the diverse implications for open-source developers and the broader software ecosystem.

By exploring the layers of the CRA’s latest amendment, we can focus on its impact on the open-source community, the industry’s temperature check and the journey of open-source software through the legislative labyrinth of the CRA.

The amendment and its implications

The CRA has recently undergone significant amendments, particularly concerning the definition and handling of open-source software. The amendment states, “Free and open-source software is understood as software the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable.”

This redefinition has sparked a debate within the tech community, raising questions about its alignment with the traditional understanding of open source.

A mixed bag of industry reactions

The tech industry’s response to this amendment has been varied. On one hand, organizations like the Python Software Foundation have expressed relief. The final text of the CRA introduces the concept of an “open source steward,” which seems to acknowledge the unique nature of open-source software development. On the other hand, there is still significant concern about the broad implications of this redefinition and how it aligns with the realities of open-source development.

Impact on open-source developers

For open-source developers, the CRA’s amendments could mean navigating a new landscape of legal responsibilities and definitions. The act shifts a significant portion of the security burden onto software developers, which could be challenging for those in the open-source community. The notion of an “open source steward” is new in European law — and its practical implementation remains to be seen.

The open-source journey in the CRA

The journey of open-source software through the iterations of the CRA has been rather complicated. Initially, there was apprehension surrounding the potential legal responsibilities that could be imposed on open-source developers, especially in terms of security issues in products built using open-source components.

The final text of the CRA seems to have addressed some of these concerns by exempting non-profit open-source contributors from certain obligations, provided they do not engage in “commercial activity.” However, this exemption has its own ambiguities, especially regarding the definition of commercial activity.

Stepping forward with caution

The CRA’s latest amendment represents a significant step in recognizing the unique nature of open-source software within European law. However, the open-source community remains cautious. The redefinition of open-source software in the CRA and the introduction of the “open source steward” concept require careful monitoring to ensure they align with the intent and practicalities of open-source development. As the CRA moves towards finalization, the open-source community’s input will be crucial in shaping a law that supports and understands the nuances of open-source software development.

 |  |  |  |  | 
Mark Stone

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature