New EU laws are coming that will affect Open Source. Should we worry?
One is the NIS2 directive, which cares about the state of computer and software security in sectors that work on critical infrastructure. Another is the Computer Resilience Act, which tries to improve the security landscape around network-connected devices.
Depending on how these two directives are implemented, and how companies and communities react, this may either lead to increased funding for badly needed efforts in resource-starved Open Source communities — or — motivate affected businesses to move in the direction of software mono-cultures and away from the culture of permission-less innovation that Open Source software developers have practiced for decades.
Of course, these laws aren’t finished yet. NIS2 has to be implemented in local law, and the CRA is (as of this writing) still a work in progress. While the situation may still change, I believe there are a couple things Open Source communities can do to prepare already now.
- Ensure supply-chain security procedures are in place and all issues resolved.
- Create easy-to-find-and-use documentation directed at business managers that are forced to be introduced to their new Open Source colleagues.
- Clarify project adoption and takeover procedures so the ones with a bus-factor of zero get a chance to be revived.
- and more…
I’ve summarized some of my thoughts on this in the presentation I gave at the Perl Toolchain Summit 2023 in Lyon, France, on April 27th 2023, embedded below. (Edit: The slides from this presentation can be found under the CPAN Security Group list of presentations.)
As a background and preparation for this talk, I and the Norwegian chapter of the Internet Society organized a fireside chat on April 22nd 2023.
In this conversation, we explored these laws (and others) both from a legal, security and Open Source perspective. The panel consisted of Simon Phipps (Director of EU Policy at the Open Source Initiative), Kaspar Rosager Ludvigsen (Lawyer and PhD candidate, working on the Cyber Resilience Act), Hans-Petter Fjeld (Senior Security Analyst at Defendable), and myself (Community activist and organizer in the Perl and Raku communities).
This event was graciously funded with a grant from NUUG Foundation.
If you find these topics interesting, feel free to reach out to me on Mastodon!
One thought on “NIS2 and CRA – EU LAWS that may kill Open Source?”
Comments are closed.