Thank you all for the quick feedback, this is very helpful!

So in summary I take away and might communicate to MEPs/groups who ask that

(a) the CRA has improved as compared to the EC proposal, e.g. it does not pose a threat to FOSS any more;
(b) there are still very disappointing bits like Article 11 and the software lifecycle that require improvement next time around;
(c) but in summary we are not fundamentally opposed to the CRA becoming law.

Hope this catches it well!

Jan

On 12/03/2024 12:41, Walter van Holst wrote:

On 12-03-2024 09:45, Jan Penfrat (EDRi) wrote:

Hi all,

Sorry this list has fallen silent a bit. The final CRA is going to be approved in Plenary soon and I as wondering if we all agree with what most of the FOSS community has said about the result: that it is OK.

I understand it's not great and in particular wrt security updates we would have wanted more, but is it correct to tell people who ask that we're generally rather supportive of the CRA as it has been agreed, or at least that we don't have any major issues with it?

I think it is better to have it go through than to have it shot down in plenary. The document has massively improved in the trialogue, which probably is a first in Brussels history.

That said, I fully expect the CRA not to last any longer than its predecessor, the Cyber Security Act, did. If only because there are too many loose strands out there. For example, the Linux kernel maintainers have decided to consider every kernel bug a potential vulnerability. Which from a security perspective is correct. This also means that every kernel patch is considered a security patch. Per article 10(6b) CRA this will create an obligation for downstream distributors to provide for patches in products incorporating Linux kernels (basically every car, set top box, etc).

In practice this will turn out to be unmanageable, not every bug and patch are equal.

Either way, I expect the CRA to keep me employed for the foreseeable future, which is not a good sign...

Regards,

Walter

_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion@mailman.edri.org
To unsubscribe send an email to edri-cra-discussion-leave@mailman.edri.org

JAN PENFRAT (he/him)
Senior Policy Advisor

Mobile/Signal: +32 470 839 044
Matrix: @jan:penfrat.net

EUROPEAN DIGITAL RIGHTS
www.edri.org | Mastodon | PGP

Working days are Monday-Thursday