Cybersecurity incidents and attacks have been on the rise in the past years. Enhancing security and trust is more relevant than ever to protect users online. Legislators worldwide have been contemplating new rules to ensure that hardware and software products become more secure, with the latest example being the EU’s Cyber Resilience Act. Below we present our concrete recommendations on how legislators can ensure that the CRA can effectively achieve its objectives.
In recent years, the European Commission has taken concrete steps to boost its cyber security capabilities across Europe. After successfully adopting the NISD2 and the EU Cybersecurity Act, the last missing piece of the puzzle is the Cyber Resilience Act (CRA). This latest proposal aims to bolster the security capabilities of hardware and software products in the EU market while ensuring a more coherent framework that facilities compliance.
At Mozilla, we believe that individuals’ security and privacy online and a safe Internet overall can only be guaranteed when all actors comply with high cybersecurity standards. We are constantly investing in the security of our products, the internet, and its underlying infrastructure. Therefore, we welcome and support the overarching goals of the CRA. To realize its full potential and achieve its objectives, we call on legislators to consider the following recommendations during the upcoming legislative deliberations:
- Clarify ‘commercial activity’ for open-source software – free and open-source software promotes the development of the internet as a public resource. Many open-source projects (like Mozilla’s products) have commercial characteristics (i.e., provided in exchange for a price) and, therefore, should abide by the CRA rules. However, there are several open-source projects that will be unintentionally captured by the CRA obligations. For example, merely charging a small fee for the technical support of the freely provided software to fund the financial existence of such projects should not be considered a commercial activity.
- Align the proposal with existing EU cybersecurity legislation – given the number of legislative initiatives the EU’s cybersecurity package has introduced in the past years, legislators should ensure that obligations around reporting incidents, timeframes, and competent authorities remain aligned across different laws. Such discrepancies can lead to confusion at a time when the efficiency of reporting cybersecurity incidents is paramount.
- Refrain from disclosing unmitigated vulnerabilities – Mozilla has long advocated for reforms to how governments handle vulnerabilities. Stockpiling vulnerabilities can result in abusive use from governments themselves but also from malicious actors. Policies that mandate the disclosure of unpatched vulnerabilities should be scrutinized carefully. Even if well-intended, we believe that sharing such vulnerabilities with governments creates more risk than it solves.
Clear, proportionate, and enforceable rules are the way forward to achieve cyber resilience of digital products and, eventually, safety for all Internet users. We look forward to working closely with policymakers to realize these goals.
To read Mozilla’s position in detail, click here.