[ad_1]
opinion The European Union values the safety of its citizens. With the key to her market of 300 million consumers, the richest in the world, the EU can only smell the danger of regulating it bravely. Food, consumer goods, financial markets and data processing: If speculators can be chewed through, the EU needs a legal muzzle.
As with regulation, this is an imperfect process. Corporate and free-market libertarians are frustrated that they are not allowed to poison, crush, or electrocute paying customers or passers-by. However, well-regulated markets have been found to inspire consumer confidence, unstoppable innovation, and add value across the sector. That it bothers libertarians is just a bonus.
The EU is now turning its attention to cybersecurity, especially its lack. It is certainly dangerous enough to be careful. The proposed Cyber Resilience Act (CRA) passing through Brussels will require manufacturers to demonstrate that they follow best practices in four areas in order for “products with digital elements” to be allowed on the EU market. They follow a consistent cybersecurity framework to measure compliance, demonstrate transparency about their cybersecurity efforts, and finally ensure customers can safely use their products throughout their life cycle. Improve product security throughout.
That sounds fair enough given some of the horrors that have hit us in the past and today. A mysterious meat-bloatware-encrusted phone that says “Best wishes for the People’s Liberation Army”? Big name big ticket office software that keeps making headlines for all the wrong reasons? Who can argue against matching these?
Only two questions need answers. Will the proposed regulations be able to carry out the job they have set and what impact will it have on the market?Here is Dante’s Inferno’s population as a whole for all his seven layers in detail not the devil.
According to the EU’s own risk assessment, the market impact would be around €29bn, but €180-290bn would be saved by not having to deal with a cybersecurity incident. Exactly what is considered a “product with a digital element” is hotly debated, with the CRA classifying related software into two categories of differing importance, excluding software-as-a-service entirely at the time of writing. doing.
SaaS is hotly debated, with different EU member states taking different stances on whether it can or should be regulated. What if the product has a chunk of software that communicates with the SaaS via API? Will it be
But FOSS is most at risk. The underlying assumption of the regulation is that cybersecurity exists in the digital marketplace, similar to the fireproofing of soft furniture. Putting regulatory costs on a part of the market that has no revenue and gatekeeping of distribution channels does not work. You don’t have to raise prices to absorb compliance costs.
FOSS cannot be outlawed. Redesigning infrastructure and applications to eliminate it would be unimaginably expensive and arguably greatly destabilize cybersecurity resilience. Allow exemptions – allow pre-regulated software components to continue to be used, but require compliance if new or updated – will freeze the sector to death. And whatever “cybersecurity framework” is a tiny fraction of the software in existence, for better or for worse, the kind of errors that currently appear only after intensive analysis by a small team of hats of good and evil who are already fully employed. to catch
The EU as a whole, and many of its member states in particular, have been very supportive of FOSS, seeing it as a way to confuse de facto Non-European software monopoly and promotion of diversity and transparency. The CRA draft excludes FOSS from compliance. provided that FOSS is not used commercially as part of technical support or monetized services. This breaks many of FOSS’s funding models, and it’s not crazy.
The principle of regulating digital products to hold vendors accountable for cybersecurity is good, but it requires proportionality. FOSS with no commercial interest is less secure than FOSS where you can buy a support contract. A much more general exception, recognizing the inherent security benefits of software that is automatically transparent, makes much more sense.
The bad news is that the period for formal feedback on the CRA has ended. The good news is that there’s a lot of feedback and the discussion isn’t over yet. Please take the time to read a solid analysis or two. If you are a sensible person living in an EU member state, talk to your MEP. Without democracy, there is no point. ®
[ad_2]
Source link