EU cybersecurity regulation and Open Source governance

The EU Cyber Resilience Act sets standards for how software should be designed, developed and distributed with security in mind. Any regulation of how software is developed also affects FOSS. How do individual developers and communities adapt to the new regulatory environment?

FOSS Backstage 2024, Berlin, Germany

Non-commercial FOSS development is excluded from the scope of the EU Cyber Resilience Act, and so are individual volunteer developers. Businesses are not. But where is the line between an incorporated FOSS community and an open source business? Depending on the answer, making FOSS releases comes with significant obligations like implementing maintenance and vulnerability reporting processes, self or third party certifications or providing patches for the 5 years or more lifecycle of the product. This will impact the viability of some FOSS development models like that of part-time maintainers supported by donations, or business-sponsored communities. The governance setup of FOSS projects may have to be sharpened to match the roles required in the law. The presentation will break down the obligations, when and how they apply and what actions communities can take to handle them.