Dear colleagues,

We’d like to draw your attention to a proposal put forth by the European Commission to strengthen cybersecurity rules for hardware and software products, called the Cyber Resilience Act (CRA):

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act

Several members of the Internet community have raised concerns over the implications of the CRA for the open-source community. In particular, Maarten Aertsen of NLnet Labs gave a presentation about the CRA during RIPE 85 and Olaf Kolkman of the Internet Society wrote an article that may be of interest: 

https://ripe85.ripe.net/programme/meeting-plan/os-wg/
https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ 

There’s an opportunity to respond to the European Commission’s proposal until (at least) 27 January 2023:

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en 

This is an open consultation, and we would encourage you to share your views if you have an opinion. The feedback received will be passed on to the European Parliament and Council (the member states) as they each develop their own positions on the proposal, before negotiations between the three bodies begin. 

The RIPE NCC is currently formulating its own response to the proposal, which will include the impact we foresee the CRA having on us as an organisation, but we want to ensure that the wider voice of the technical community is also heard. 

You can see past examples of the RIPE NCC’s submissions to open consultations here:

https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations

Please let us know if you have any questions. 

Best regards,

Suzanne 

__________________
Suzanne Taylor
Public Policy & Internet Governance
RIPE NCC
www.ripe.net