The EU's Cyber Resilience Act (CRA) became law in 2024 and allowed a three year grace period for compliance.
We believe that it would have been impossible for a small business such as Qtrac Ltd's was to achieve compliance with the Act. This resulted in Qtrac Ltd. stopping all sales into Europe and cost the company about half of its sales as well as many disgruntled customers.
It appears to us that the CRA was written by one of the big consultancies to generate as much consulting compliance revenue as possible, and at the same time squeezing out small businesses that can neither comply on their own nor afford to hire a consulting company to do the compliance for them. After all, the CRA demands that even the smallest one-person software company must achieve the same compliance as a software giant like Microsoft.
The CRA lacks proper provision for small businesses, exposing them to considerable legal risk, extra bureaucracy, and the additional risks of predatory legal action make selling into Europe extremely unattractive.
Overall, the CRA is bad news for European software innovation and will ensure that Europe lags even further behind the US and elsewhere in years to come.
Note that an early draft of the CRA was also extremely prejudicial to FOSS (free open source software) developers. However, the CRA's final text has been considerably amended to address the needs of FOSS developers. Overall it seems safe to develop FOSS—providing the software does not fall into any of the categories listed in Annex III—as explained in the CRA: Chapter II, Article 32, item 5.
Your Privacy • Copyright © 2006 Mark Summerfield. All Rights Reserved.