Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers
We’re looking forward to working with policymakers to improve cybersecurity and support developers.
Policymakers in the EU are working on a new regulation to improve cybersecurity. Proposed by the European Commission last year, the Cyber Resilience Act will allocate responsibility for shipping and maintaining secure software products to the companies that sell them, but its current form could pose challenges for open source. At GitHub, we’re looking forward to working with policymakers to improve cybersecurity and support developers.
Cybersecurity reform is clearly needed. Too often products are shipped without adequate security and not maintained as new vulnerabilities come to light. Many of us have directly suffered as a result. The Cyber Resilience Act aims to change this. It would set requirements for secure development and maintenance of digital products in the single market, with elevated standards for critical products like web browsers and VPNs. And importantly, it would require manufacturers to patch vulnerabilities in their software in a timely manner. These proposed changes have industry and developers alike looking closely at the specifics.
Recognizing its economic impact and role in innovation, the European Commission proposal contemplates a partial exemption for open source software. While a good start, a partial exemption for open source is not enough. The proposal needs fixing, and the open source community has raised concerns.
The text exempts non-commercial open source, but defining this in practice is challenging. Developers create and maintain open source in a variety of paid and unpaid contexts, including corporate, government, nonprofit, academic, communities, and solo. Non-profit organizations offer paid consulting services as technical support for their open source software. And increasingly, developers receive sponsorships, grants, and other forms of financial support for their efforts. These nuances require a different exemption for open source.
We look forward to partnering with EU policymakers to provide clarity for open source and developers. As we outlined in a filing with the European Commission, the Cyber Resilience Act can be improved by focusing on finished products. If open source software is not offered as a paid or monetized product, it should be exempt. Keeping this focus would also provide certainty for collaborative software development and distribution platforms, from GitHub to self-hosted servers, container registries to package managers. While these were explicitly exempted in the EU Copyright Directive, there is risk that they may be considered distributors within the Cyber Resilience Act.
Providing certainty for open source will be a boon for our shared digital infrastructure and for European developers. European Commission-sponsored research estimates that open source software contributed at least €65-95 billion to EU GDP in 2018, and that annual number is set to only increase as open source powers AI development. Much more can be done, too. The German government, in particular, has taken note of the importance of open source. Last year, they launched the Sovereign Tech Fund, which supports open source projects in the public interest. Policymakers across Europe and the world should take note: models of direct government support for and engagement in developing open source are promising complements to multi-stakeholder initiatives, like OpenSSF, in securing our digital commons.
As work continues on the Cyber Resilience Act, GitHub is partnering with policymakers and the developer community to ensure the legislation actually increases cyber resilience. For more on how you can get involved, and to contribute ideas on how our proposed amendments can be improved, please contribute in our repository.
Tags:
Written by
Related posts
GitHub Availability Report: August 2024
In August, we experienced one incident that resulted in degraded performance across GitHub services.
Fine-tuned models are now in limited public beta for GitHub Copilot Enterprise
Fine-tuned models empower organizations to receive code suggestions specifically tailored to their coding practices and internal languages.
2024 is the biggest global election year in history. What’s at stake for developers?
GitHub is considering what is at stake for our users and platform, how we can take responsible action to support free and fair elections, and how developers contribute to resilient democratic processes.