[OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

Fri Jul 21 17:27:38 PDT 2023

Hi all,

My initial thoughts were that it is ridiculous to expect open source projects that require no payment for use place responsibility on the project developers and maintainers to be responsible for security issues.

However the current reality is that based on recent examples OSGeo projects that become aware of a critical vulnerability result in it being fixed by maintainers within hours/days. These fixes are nearly always unpaid work carried out during weekends and evenings due to the conscientiousness of those involved in the projects. 

>From [1]: "The rules could cut the cost of cyber incidents to companies by as much as 290 billion euros ($289.8 billion) annually versus compliance costs of about 29 billion euros"

If OSGeo can find a way to capture some of this value by ensuring compliancy and gathering funds from large organisations that use OSGeo projects, then this could be seen as an opportunity rather than an impending disaster. 

>From the Log4js experience it seems companies are prepared to spend whatever it takes to resolve security issues, whilst avoiding any general maintenance and software update costs. 

Seth

[1] https://www.reuters.com/technology/draft-eu-rules-target-smart-devices-with-cybersecurity-risks-2022-09-08/

--
web:https://geographika.net & https://mapserverstudio.net
twitter: @geographika

On Fri, Jul 21, 2023, at 11:20 PM, Adam Steer via Discuss wrote:
> Hi OSGeo
> 
> The European Union's proposed Cyber Resilience Act has just come to the attention of many non-EU folks as a potential dampener on open source geospatial software development and usage. A summary from GitHub is here (thanks Marco Bernasocchi for pointing it out):
> 
> https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
> 
>  It's being discussed in the OSGeo board, and some responses from other open source organisations have already been made, for example: https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act
> 
> It would be great to hear your thoughts on the impact of the proposed legislation on open source geospatial software development across the globe  - so we can form an appropriate community response as soon as possible. What are your thoughts?
> 
> Yes, we're late in gettung our attention on to this. Hopefully not too late. 
> 
> Thanks,
> 
> Adam
> 
> --
> Dr. Adam Steer
> OSGeo director
> 
> 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/discuss
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20230722/11719be6/attachment.htm>