The Cyber Resilience Act and Open-Source Software: A Fine Balancing Act

Abstract

Open-source software, a type of software that can be publicly accessed, shared, and modified, is an integral part of modern digital infrastructure. Many  products, from personal computers to internet-connected devices, run on open-source systems (e.g., Linux). Developers may work voluntarily or for limited compensation on such software. The character of this work, however, does not reduce the impact of cybersecurity incidents within these environments. Proprietary software, meaning software with restrictive license models, regularly implements open-source software: a vulnerability in the open-source software thus directly affects proprietary software too. Recent large-scale vulnerabilities (e.g., Log4j) highlighted this dual nature of open-source software: developers work on projects based on personal passion or ideologies, while the software is often equally as critical as software created and maintained by larger technology enterprises.

The Cyber Resilience Act, the recently proposed European cybersecurity legislation for products, aims to offer a legal response to cybersecurity problems in modern software and hardware. This paper addresses the role of open-source software cybersecurity in the Cyber Resilience Act with specific attention to the difficulties of reconciling cybersecurity responsibilities and open-source products. I show that the Cyber Resilience Act does achieve a balance between regulation for open-source software and advancing cybersecurity, but only through a narrowly applicable and, at times, complex legislative approach.