Open source software plays a vital role in today’s digital landscape. It provides access to software code that is freely available for public use, modification, and distribution. However, regulating open source software and establishing support periods for such software have […]
Open source software plays a vital role in today’s digital landscape. It provides access to software code that is freely available for public use, modification, and distribution. However, regulating open source software and establishing support periods for such software have been ongoing challenges for European regulators. These issues are being addressed through a Compromise Text on Cyber Resilience, which seeks to find common ground among lawmakers.
One of the key points of agreement revolves around how to regulate open source software and define the responsibilities of its “controllers” or “stewards.” These are legal entities that create products with digital components for the market, with the goal of ensuring sustainability for one or more qualifying products that are free and open source. Finding a balance between the interests of volunteer IT developers and commercial companies has been a priority.
Another area of compromise focuses on defining support periods for software. It has been proposed that manufacturers be obligated to provide security patches for a minimum of five years, unless the product’s expected lifespan is shorter. This ensures that users can benefit from ongoing security updates and fixes, enhancing the overall resilience of the software ecosystem.
However, at a technical level, more attention needs to be given to the reporting of cyber threats and the entities responsible for handling them, including actively exploited vulnerabilities. This sensitive issue requires political consideration, and the European Parliament insists on the involvement of the European Union Agency for Cybersecurity (ENISA). Parliamentarians aim to avoid a situation where national Computer Security Incident Response Teams (CSIRTs) can independently decide to withhold vulnerability information without informing ENISA. Additionally, they cannot accept that manufacturers without a legal presence in the EU freely choose their CSIRT reference team. In such cases, turning to the EU Cybersecurity Agency makes more sense.
As negotiations continue, both sides are expected to define their priorities regarding the list of critical products. As with any significant regulatory action, finding common ground and balancing competing interests is a complex task.