zlacker

[return to "EU Cyber Resilience Act: What does it mean for open source?"]
1. chacha+Dg[view] [source] 2023-12-30 22:11:32
>>ahuber+(OP)
There is a lot of talk about who this regulation is supposed to cover, but not a lot about what it actually requires if it covers you. The best I could find after a couple quick searches was that you're supposed to provide information about the security mechanisms used and regular security updates over the lifetime of the product. Is there anything else? This doesnt sound terribly hard to comply with at first glance.
◧◩
2. Larisc+7n[view] [source] 2023-12-30 23:02:53
>>chacha+Dg
This is described in Annex IV, V and VI [1]. You must do a conformity assessment and provide a declaration of conformity. For non-critical software you can do the assessment yourself see the first five points in Annex VI. The only thing that maybe requires a bit of effort is that you must write some technical documentation including a cybersecurity risk assessment during the assessment if you have not already done so. For critical software the process is of course a bit more involved because it requires certification by a "notified body".

[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...

[go to top]