The EU's Cyber Resilience Act (CRA) became law in 2024 and allowed a three year grace period for compliance.
We believe that it would have been impossible for a small business such as Qtrac Ltd's was to achieve compliance with the Act. This resulted in Qtrac Ltd. stopping all sales into Europe and cost the company about half of its sales as well as many disgruntled customers.
It appears to us that the CRA was written by one of the big consultancies to generate as much consulting compliance revenue as possible, and at the same time squeezing out small businesses that can neither comply on their own nor afford to hire a consulting company to do the compliance for them. After all, the CRA demands that even the smallest one-person software company must achieve the same compliance as a software giant like Microsoft.
Furthermore we believe that the CRA in-effect overrides the “no warranty,” “no implied merchantability,” and “no fitness for a particular purpose” disclaimers in most free open source software (FOSS) licenses, leaving open source developers legally liable.
For example, if a FOSS library is used in a commercial application and the application is found to have a security hole, the CRA could be used to sue the commercial developer. However, the commercial developer could in turn claim that the source of the hole isn't them, but the FOSS library they use, thus redirecting the liability to the FOSS developer—whether or not the FOSS really is the source of the security hole.
The CRA lacks proper provision for small businesses and for open source software developers, exposing them to considerable legal risk. For open source developers it means that something that some of them do for fun and for interest and to share their expertise becomes something for which they might be sued—something that open source licences specifically protect against, but which the CRA overrides. And for small businesses, the burden of the extra bureaucracy and the additional risks of predatory legal action make selling into Europe extremely unattractive.
Overall, the CRA is bad news for European software innovation and will ensure that Europe lags even further behind the US and elsewhere in years to come.
See the Wikipedia Cyber Resilience Act article and especially the “reception” it has received.
Your Privacy • Copyright © 2006 Mark Summerfield. All Rights Reserved.