If any law can bring about significant upheaval in the European cybersecurity landscape, it will be the Cyber Resilience Act (CRA). The first draft version, presented in September 2022, has already caused a sensation and set the mills in motion not only in Germany and the EU, but above all abroad.
Prof. Dr. Dennis-Kenji Kipker is a professor of IT security law at the Bremen University of Applied Sciences, where he works at the interface between law and technology in information security and data protection. He also doesn’t miss out on practice and advice: He also works as a legal advisor to the VDE, [email protected] and shapes the policy area as a member of the board of the European Academy for Freedom of Information and Data Protection (EAID) in Berlin future European and German cyber policy. As Managing Director of the consulting company Certavo in Bremen, he is also committed to the development and implementation of pragmatic solutions for digital compliance by companies internationally.
The goals of the Cyber Resilience Act
The CRA, if it comes out in this or a similar version – which is very likely – will be the first European cybersecurity law not only to provide for the obligation to “cybersecurity by design”. It is also aimed at manufacturers, importers and distributors alike and prescribes the implementation of IT security measures over the entire life cycle of a product. First of all, that’s a good thing, because the law, which was originally only intended to affect the Internet of Things, now focuses on all “products with digital elements” and ultimately all networked IT with its extended scope of application.
Some might wonder if there really is a need for another EU law on cybersecurity, when we already have NIS-2, the Cybersecurity Act, the Radio Equipment Directive and many other sector-specific laws on the same subject. The fact remains, however, that companies and manufacturers have so far understood cybersecurity primarily as an internal compliance process and that too little regulatory attention has been paid to the products themselves that have been introduced into the European internal market or are manufactured there and are now en masse and partly here circulate for many years.
weaknesses in planning
But all that glitters is not gold when it comes to the draft Cyber Resilience Act. As ambitious as the project may be, various weaknesses are already visible that must be corrected before the law is passed. One of these concerned setting the maximum product lifespan at five years. Here it was quickly realized that such a regulation would hardly make sense in practice, given the diversity of the products concerned. Another significant vulnerability – and one that has unfortunately largely been ignored in the public debate to date – relates to the handling of open source components, which are used en masse in all conceivable commercial devices and software these days; on the one hand for cost reasons, but on the other hand above all to improve the functionality and security of IT products.
A few days ago, the Python Software Foundation (PSF), a non-profit organization for the promotion, protection and further development of the Python programming language, became aware of this problem and published a detailed statement on the CRA, together with the request to all readers, to convey the concerns expressed to European politicians. The PSF not only makes the core programming language freely available to all users, but also the Python Packaging Index (PyPI) as a library of software packages written by thousands of different companies and individuals.
Legitimate Concern for Open Source Software
At this point, the PSF’s concerns are clearly justified: it fears that significant liability problems will arise due to the CRA’s extended scope of application without exemptions for public and non-profit open source repositories. This could go so far that the PSF could be legally liable for potentially any product that contains Python code without even having made any sales, let alone any profit from the products. It would then no longer be able to make Python and PyPI available to European companies and programmers – with fatal consequences for Europe as a technology location, but ultimately also for cyber security, which has so far benefited significantly from the input of the global software community and the independence of the PSF. And of course this problem does not only affect Python, but all publicly accessible open source repositories.
The European legislator is therefore urgently requested to make improvements in a timely manner in order to prevent the CRA from irrevocably damaging the European open source community by excluding non-profit open source repositories from the scope of the future law. Commercial companies, on the other hand, which use open source software in their products, are already potential liability recipients for damages that are causally caused by defective software, regardless of this current legal policy debate.