I've had people call me naive, but I'm really quite enthusiastic about the CRA.

Mary Branscombe's avatar

we used to say airily that 'every company is a technology company now' and certainly almost every product from a car to a train ticket is at least partly digital now, so it's time we made companies do the security and support for those products better; that's what the EU Cyber Resilience Act is for

Mary Branscombe's avatar

TLDR starting this September, if you sell a digital product into the EU you have to have a proper vulnerability reporting process in place and report security incidents that affect your customers: by December 2027 you have to have SBOMs and conformity declarations and 5 years support and updates

Mary Branscombe's avatar

the hope is that organisations shape up their software development practices and maybe, @kat.lol says, they'll do open source better, because now it's a board responsibility that you have to care about project health, be able to contribute any fixes you create upstream and generally act responsibly

Mary Branscombe's avatar

With the state of the software ecosystem and a new supply chain attack almost every week, sometimes from nation state actors, product safety has to cover the digital side of products as well as making sure they don't electrocute you or snap shut on your fingers; the CRA is a way to move that forward

I spent quite a while asking people about the CRA this year and, outside security and supply chain conversations, getting blank looks, so I was delighted to see it come up in the #Kubecon keynote.

Mary Branscombe's avatar

usually in interviews I'm the one bringing up CRA; here at #kubecon people have been bringing it up before I do (even if they're only saying too many organisations aren't paying attention to it) and it was nice to see it show up in the keynote

And after having spent so long saying that I know I sound naive but that I still think the CRA is an opportunity to give organizations an incentive to fund and contribute to open source better, I'm glad to know I'm not the only one - even if we're cynical about how well it survives contact with capitalism. Maybe like GDPR, the CRA will get mirrored by similar legislation around the world, although there's little sign of that yet.

Luis Villa's avatar

It does, by design. They will try to ignore it anyway (with help from big players who would really rather not be bothered)

  • cybersecurity

  • vulnerability

  • SBOMs

  • open source

  • EU

  • regulation