The Cyber Resilience Act is currently making its way through the European legislative process. It is under consideration by the European Parliament and the Council of Europe is likely to reach a position which is largely aligned with the Commission’s proposal. The stated main aims of the Cyber Resilience Act are as follows:
- To create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and
- To create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
There have been issues raised by open source industry bodies (who represent those involved in the development of products (including software), which are made available for people to modify, share and incorporate into new products), who published an open letter to Parliament and the Council stating that they had been underrepresented in the legislative process. Bodies such as the Eclipse Foundation have concerns that the extension of the CE mark to “all products with digital elements made available in Europe” may change the accepted position on product liability where the open-source community producers “freely provide the software but accept no liability for your use and provide no warranties.” They contend that if they have to take on liability for open source products, this will have a significant effect on the sector and may effect liability.