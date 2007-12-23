The CRA was proposed by the European Commission in September 2022 and imposes mandatory cyber security requirements for all hardware and software products – from baby monitors to routers, as the EU Commission put it.

Once in force, which will happen 20 days after its adoption by Parliament and the Council, the CRA will require hardware and software makers to meet some intimidating targets. Included in the rule is a 24-hour disclosure period for any newly-discovered security flaw under active exploitation, five years of security patch support, thorough documentation of all security features, and more.

Manufacturers, importers and distributors will have 36 months to adopt the requirements or face fines up to €15 million or 2.5 percent of total worldwide annual turnover.

While better security is all well and good, concerns have been raised over the potential effect the CRA could have on open source software, which is often maintained by few people despite the importance it can often have to larger products. Open source maintainers may find it hard to meet short deadlines for patches, documentation and disclosure.

Fears over the CRA were voiced as recently as October, when it was apparent that the Commission had largely ignored the open source community as it finalized the Act.

Luckily, the latest version of the CRA appears to address those concerns.

"In order not to hamper innovation or research, free and open source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation," the proposed version of the CRA reads.

"We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open source community," lead member of the European parliament (MEP) Nicola Danti explained regarding the CRA agreement. "Only together will we be able to tackle successfully the cyber security emergency that awaits us in the coming years."