{"id":2251,"date":"2023-07-13T21:50:24","date_gmt":"2023-07-14T05:50:24","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=2251"},"modified":"2023-07-13T21:50:24","modified_gmt":"2023-07-14T05:50:24","slug":"european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/","title":{"rendered":"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development"},"content":{"rendered":"<p><i>Recent discussions in the European Parliament can seriously undermine existing cyber security practices and open source development by setting disproportionate obligations and strict requirements for vendors supplying products in Europe.<\/i><\/p>\n<p>In a previous <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/05\/15\/mozilla-weighs-in-on-the-eu-cyber-resilience-act\/\">blogpost<\/a> and <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2023\/05\/Mozilla-CRA-Position-Paper.pdf\">position paper<\/a>, we expressed our concerns with the original Cyber Resilience Act proposal by the European Commission, particularly regarding the disclosure of unmitigated vulnerabilities and the open source exemption. Unfortunately, the changes made in the text by the Industry Committee (ITRE) of the European Parliament fall short of improving and, in some cases, even worsen the CRA requirements regarding open source development. Members of the open source community have been <a href=\"https:\/\/github.blog\/2023-07-12-no-cyber-resilience-without-open-source-sustainability\/#parliament-itre-committee-draft-on-open-source\">speaking out<\/a> <a href=\"https:\/\/blog.opensource.org\/the-ultimate-list-of-reactions-to-the-cyber-resilience-act\/\">against <\/a><a href=\"https:\/\/blogs.eclipse.org\/post\/mike-milinkovich\/european-cyber-resilience-act-potential-impact-eclipse-foundation\">this <\/a>&#8211; below we highlight our key concerns:<\/p>\n<ul>\n<li aria-level=\"1\"><b>Open source projects with corporate developers as contributors will be subject to the CRA<\/b> &#8211;\u00a0 The current text (Recitals 10 and 10a) would deem any open source project as commercial, as long as it has committers employed by a commercial entity. Should this happen, the number of maintainers and contributors to open source projects will decrease significantly. Projects might feel compelled to reject developers and their contributions when employed by the companies that use their software. Simultaneously, companies might ban their employees from contributing to open source projects.\u00a0 This will result in a less innovative and less secure software ecosystem.<\/li>\n<li aria-level=\"1\"><b>Open source projects receiving donations will fall under the strict rules of the CRA<\/b> &#8211; Keeping open source projects sustainable is not an easy task, and accepting donations is one way to ensure their financial independence. Nevertheless, ITRE\u2019s version of the CRA, in Recital 10b could threaten to undermine this. Projects that accept donations made by commercial entities and are recurring in nature will fall under the scope of the CRA, even when they do not operate in the course of commercial activity.<\/li>\n<\/ul>\n<p>Additionally, Article 11 of the ITRE Committee\u2019s text will <strong>break the coordinated vulnerability disclosure by requiring developers to report any unmitigated or unpatched vulnerabilities<\/strong>. Obliging developers to report such vulnerabilities in tight timeframes can only undermine the efforts taken to apply corrective measures. It reflects a misunderstanding of how long it takes for these vulnerabilities to be fixed and can set a worrying global precedent.<\/p>\n<p>The ITRE Committee in the European Parliament will hold a vote on July 19. Should the Committee endorse the current version of the text, this will become the official European Parliament position ahead of the negotiations with the Council and the Commission.<\/p>\n<p>We ask members of the ITRE Committee to consider the implications the current text can have on open-source development in Europe. At a minimum, we call for a public debate on the CRA at Plenary level before negotiations start with the Council and Commission.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recent discussions in the European Parliament can seriously undermine existing cyber security practices and open source development by setting disproportionate obligations and strict requirements for vendors supplying products in Europe. &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/\">Read more<\/a><\/p>\n","protected":false},"author":1924,"featured_media":1675,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[283198],"tags":[],"coauthors":[452999],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>European Parliament\u2019s version of the CRA threatens cybersecurity and open source development - Open Policy &amp; Advocacy<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Tasos Stampelos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/\",\"name\":\"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development - Open Policy &amp; Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png\",\"datePublished\":\"2023-07-14T05:50:24+00:00\",\"dateModified\":\"2023-07-14T05:50:24+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/caba12532672da33022261024cc9cf63\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png\",\"width\":818,\"height\":458},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy &amp; Advocacy\",\"description\":\"Mozilla&#039;s official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/caba12532672da33022261024cc9cf63\",\"name\":\"Tasos Stampelos\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/5e3cb964f7eb226bbb5e3b0f02410ed3\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/36878ab9519e3d11e2cdd28bc854c8ab?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/36878ab9519e3d11e2cdd28bc854c8ab?s=96&d=mm&r=g\",\"caption\":\"Tasos Stampelos\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development - Open Policy &amp; Advocacy","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/","twitter_misc":{"Written by":"Tasos Stampelos","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/","name":"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development - Open Policy &amp; Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png","datePublished":"2023-07-14T05:50:24+00:00","dateModified":"2023-07-14T05:50:24+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/caba12532672da33022261024cc9cf63"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#primaryimage","url":"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png","contentUrl":"https:\/\/blog.mozilla.org\/netpolicy\/files\/2019\/12\/privacy-image.png","width":818,"height":458},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2023\/07\/13\/european-parliaments-version-of-the-cra-threatens-cybersecurity-and-open-source-development\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"European Parliament\u2019s version of the CRA threatens cybersecurity and open source development"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy &amp; Advocacy","description":"Mozilla&#039;s official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/caba12532672da33022261024cc9cf63","name":"Tasos Stampelos","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/5e3cb964f7eb226bbb5e3b0f02410ed3","url":"https:\/\/secure.gravatar.com\/avatar\/36878ab9519e3d11e2cdd28bc854c8ab?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/36878ab9519e3d11e2cdd28bc854c8ab?s=96&d=mm&r=g","caption":"Tasos Stampelos"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2251"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1924"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=2251"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/2251\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media\/1675"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=2251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=2251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=2251"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=2251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}