The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA, including security, privacy, and the absence of Critical Vulnerability Events (CVEs).
The Open Source Initiative has submitted the following information to the European Commission’s request for input on its proposed Cyber Resilience Act text.