The digital transformation of the economy has brought significant benefits but also increased cyber security risks. This has led to the adaptation of the legal framework governing cyber security to address these new threats.
In recent years, the European Union has introduced various regulations to harmonise cyber security laws while ensuring a high level of protection for European citizens (eg General Data Protection Regulation, Cyber Resilience Act, Product Liability Directive, NIS2 Directive, Digital Operational Resilience Act…etc). A key aspect of this evolving landscape is the role of open-source software (OSS), which raises specific legal and security challenges.
The challenge of building resilience in open source
OSS plays a crucial role in the modern digital ecosystem as a key component for innovation. It allows cost reduction and facilitates technological collaboration. It is also generally considered to play a major role in stimulating competition in the tech industry, as it lowers the barriers to market entry for new players.
OSS is now widely relied on by developers and is used across all sectors including the public, health, education, finance and security sectors.
OSS as it stands carries a high risk in terms of security. By allowing unrestricted access to the source code, vulnerabilities in the software may become more apparent and can be exploited by hackers on a larger scale. Because it relies on open contributions from multiple sources, there is also a risk of malicious code being inserted into the development process. Traceability and identification of malicious contributors can be challenging.
The collaborative model of OSS projects further presents significant challenges with regards to cyber resilience obligations. The very nature of open source implies community-driven efforts and source code distribution. OSS is developed in a decentralised manner, with the intervention of many contributors, often acting outside of any commercial activity. In that context, the burden of extensive and complex regulatory obligations applying to the developers of those technologies associated with strict liability in case of non-compliance may seem inappropriate and disproportionate.
Placing the burden of compliance on OSS developers and contributors would raise practical enforcement challenges due to the large number of contributors and the nature of their inputs. It may also discourage participation in OSS projects, as the risk of liability in relation to downstream use may discourage developers from contributing and ultimately slow down innovation.
OSS in the Cyber Resilience Act
The Cyber Resilience Act (CRA) aims to establish minimum cyber security requirements for products incorporating digital elements as a prerequisite before they are placed on the European Union market. These requirements may vary depending on the classification of the products, with additional obligations imposed on those categorised as “important” or “critical.” The CRA imposes obligations and assigns responsibility to all actors in the economic chain, ie product manufacturers but also importers and distributors.
Concerns that the open-source ecosystem had not been sufficiently considered were raised during the legislative process leading to the adoption of the CRA. In an open letter dated 17 April 2023, members of the OSS community urged the EU legislator to recognise the unique characteristics of OSS and ensure that the CRA would not unintentionally harm the OSS ecosystem.
The early version of the CRA excluded from its scope free and open-source software which were not supplied for distribution or use “in the course of a commercial activity”. However, it was considered insufficient as in practice, a lot of OSS is developed in support of commercial activities. As such, it would have been subject to the obligations of the CRA.
In an effort to take these concerns into account, the concept of “open-source software stewards” was introduced in the final draft. They are subject to a light-touch and tailor-made regulatory regime.
OSS stewards are defined as “any legal person, other than a manufacturer, that has the purpose or objective of systematically providing support on a sustained basis for the development of specific products with digital elements, qualifying as free and open-source software and intended for commercial activities, and that ensures the viability of those products”. This includes certain foundations and entities that develop and publish free and open-source software in a business context, including not-for-profit entities.
Unlike manufacturers, open-source software stewards are only required to:
- implement and document a cyber security policy. This requirement is, however, less onerous than those imposed on manufacturers as part of their documentation obligation. This is intended to “foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product” and “the voluntary reporting of vulnerabilities […] by the developers of that product”. It must, in particular, include aspects related to documenting, addressing and remediating vulnerabilities and promote the sharing of information concerning discovered vulnerabilities within the open-source community.
- cooperate with the market surveillance authorities, at their request, with a view to mitigating the cyber security risks posed by a product with digital elements qualifying as free and open-source software and sharing with such authorities the cyber security policy they have established.
- report (i) an “actively exploited vulnerability” contained in a product (defined as “a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner”) or (ii) a “severe incident having an impact on the security of a product” (defined as “incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions”) to the competent CSIRT and to ENISA only to the extent that (respectively) (i) open-source software stewards are involved in the development of the related product or (ii) the incident affects network and information systems provided by the open-source software stewards for the development of such products. Obligations to inform the impacted users apply under the same limited circumstances (ii).
What does this mean for the use of OSS in products with digital elements on the EU market?
Ultimately, it will be the responsibility of those choosing to integrate open-source components into their products (i.e manufacturers of products incorporating open-source elements) to comply with all obligations imposed on manufacturers by the CRA (security-by-design requirements, cyber security risk assessments, transparency obligations, reporting to authorities…etc).
