Lobbying by Linux Foundation and FSF-EEE, Cyber Resilience Act Exemptions
PR Newswire ☛ Linux Foundation and US Government to Host "6G Innovation Day" at ONE Summit in Silicon Valley on Open Source, Open RAN and AI Efforts [Ed: The Bill Gates-connected 'Linux' Foundation working for the US government on opaque patented and NDAd stuff]
Linux Foundation's Site/Blog ☛ The EU Cyber Resilience Act: A New Era for Business Engagement in Open Source Software [Ed: The companies behind this are proprietary giants that lobby for software patents; This is what "LF" represents now.]
FSFE ☛ CRA & PLD: Liability rules with large exemptions for Free Software are introduced
On Tuesday, March 12, the two votes in the plenary of the European Parliament on the Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) marked the provisional end of a long debate on the introduction of liability rules for software - with a broad exemption for Free Software.
European Parliament ☛ Cyber Resilience Act: MEPs adopt plans to boost security of digital products [PDF]
Important and critical products will be put into different lists based on their criticality and the level of cybersecurity risk they pose. The two lists will be proposed and updated by the European Commission. Products deemed to pose a higher cybersecurity risk will be examined more stringently by a notified body, while others may go through a lighter conformity assessment process, often managed internally by the manufacturers.
During the negotiations, MEPs made sure that products such as identity management systems software, password managers, biometric readers, smart home assistants and private security cameras are covered by the new rules. Products should also have security updates installed automatically and separately from functionality updates.
MEPs also pushed for the European Union Agency for Cybersecurity (ENISA) to be more closely involved when vulnerabilities are found and incidents occur. The agency will be notified by the member state concerned and receive information so it can assess the situation and, if it identifies a systemic risk, will inform other member states so they are able to take the necessary steps.
To emphasise the importance of professional skills in the cybersecurity field, MEPs also introduced education and training programmes, collaborative initiatives, and strategies to enhance workforce mobility in the regulation.
Lexology ☛ The Cyber Resilience Act is One Step Closer to Becoming Law
The CRA will have to be formally adopted by the Council before it becomes law. That will likely be in April 2024. The final version of the CRA will then be published in the EU’s Official Journal. The majority of the provisions in the CRA will apply in full three years after the date of publication (although vulnerability reporting obligations will apply 21 months after this date).
Biometric Update ☛ International Conference on the EU Cyber Security and Resilience Acts
In the past seven years, the European Union has made landmark efforts to bolster defenses against cyber-attacks and improve product security. The EU Cybersecurity Act (CSA), under development since 2018, is creating an extensive independent European body of cybersecurity regulation as part of the “single digital market” goal. The more recent Cyber Security Resilience Act (CRA) targets a broad swath of consumer products including IoT, cloud, communications, payments, automotive, and more. Product developers will be required to protect their systems and networks from cyber threats, and report significant security incidents. A certification scheme is coming—outlines of the program will become clear over the next 2 years.
Atlassian ☛ Introducing Software Bill of Material (SBOM) in our DC products
The SBOM is essential for ensuring compliance with different regulations and standards, for example, the U.S. Executive Order on Improving the Nation's Cybersecurity, the EU NIS 2 Directive, and Cyber Resilience Act. It enhances transparency and facilitates a deeper understanding of software components, their versions, dependencies, and updates on their security vulnerabilities. This can help developers and users identify potential security risks, manage licenses, and maintain the software more effectively. For example, if a vulnerability is discovered in a specific open-source component, anyone with access to SBOM can quickly check if their software is affected.