Most concerning would be language enabling authorities to inspect secure enclaves, which I believe China and Russia will likely adopt. I couldn't find that.
Some other notable provisions:
The new draft says "only free and open-source software supplied in the course of a commercial activity should be covered by this Regulation" and puts the onus entirely on the manufacturer adopting it (i.e., off the developer or the sponsoring agency like ASF or eclipse.org): [10] "...manufacturers that incorporate such software in their products with digital elements should take all the necessary steps..."
[12a] It excludes national security and military electronics.
[14b] It excludes "leasing companies" from being considered as distributors.
[18a] It requires governments to prioritize vendors in compliance and to drive vendors to fix holes urgently.
[32a] Security updates must be automatic, but users can disable them. Once unsupported, users must be notified, and [32b] the source code should be given to companies seeking to offer ongoing support.
[34] Mandatory notification of vulnerabilities does not apply when "discovered by ethical security hackers operating with no malicious intent and with the manufacturer’s consent"
[61] In market enforcement sweeps for entire product categories, "Specific attention should be given to products with digital elements placed on the market by manufacturers that might present a security risk for the Union, including in light of the geopolitical context"
3 comments
[ 2.9 ms ] story [ 19.9 ms ] threadhttps://news.apache.org/foundation/entry/save-open-source-th...
- EU Cyber-Resilience Act (CRA)
- EU product liability
- US executive orders, legislation...
The CRA committee's March draft showing changes is
https://www.europarl.europa.eu/doceo/document/ITRE-PR-745538...
Most concerning would be language enabling authorities to inspect secure enclaves, which I believe China and Russia will likely adopt. I couldn't find that.
Some other notable provisions:
The new draft says "only free and open-source software supplied in the course of a commercial activity should be covered by this Regulation" and puts the onus entirely on the manufacturer adopting it (i.e., off the developer or the sponsoring agency like ASF or eclipse.org): [10] "...manufacturers that incorporate such software in their products with digital elements should take all the necessary steps..."
[12a] It excludes national security and military electronics.
[14b] It excludes "leasing companies" from being considered as distributors.
[18a] It requires governments to prioritize vendors in compliance and to drive vendors to fix holes urgently.
[32a] Security updates must be automatic, but users can disable them. Once unsupported, users must be notified, and [32b] the source code should be given to companies seeking to offer ongoing support.
[34] Mandatory notification of vulnerabilities does not apply when "discovered by ethical security hackers operating with no malicious intent and with the manufacturer’s consent"
[61] In market enforcement sweeps for entire product categories, "Specific attention should be given to products with digital elements placed on the market by manufacturers that might present a security risk for the Union, including in light of the geopolitical context"