New EU Cyber Security Regulations are coming – Will Open Source survive?
Details
A conversation with Simon Phipps: «Is EU – by accident – going to kill Open Source?»
Several new laws are arriving from EU soon – The Cyber Resiliency Act (CRA), the Digital Markets Act (DMA), the NIS2 Directive and others.
Together, these are likely to affect many tens of thousands businesses with new demands to risk assessment, documentation, incident response regimes, supply chain security and more.
As these are likely to have a forest worth of Open Source projects in their software dependencies – we should expect them to interact much more with their communities, both to prevent and respond to security incidents.
What are these laws, who is affected, and how can Open Source developers and communities prepare for the coming rush of managers, unfamiliar with the inner workings of the ecosystems they depend on?
We'll get an up-to-date overview of the laws, how they are likely to affect businesses and Open Source projects, and maybe a little on what we all can do to prepare for this "new" environment.
If you depend on Open Source software — either as a manager or employee in a software-using business, as a legal professional caring about the new liability landscape, or as a developer involved in a FOSS project — this conversation is for you!
Simon Phipps — Standards & EU Policy Director at Open Source Initiative
Simon first joined OSI in 2008 as a Board observer, later director, president, and secretary at various times. In early 2020 he switched to his current role.
With a degree in electronic engineering that led to a focus first on compiler design and then workstations and networking, he has had C-level roles with responsibility for software community matters at IBM, Sun Microsystems and Forgerock.
As Sun’s chief open source officer he ran one of the first fully staffed OSPOs and oversaw the release of Sun’s whole software portfolio under open source licenses, notably including the Java platform. He has been involved in de jure standards since 1991 at multiple SDOs.
He consults, writes and speaks widely on software freedom issues, and recently on CRA and Open Source. On Twitter he is @webmink and in the Fediverse @webmink@meshed.cloud.
Kaspar Rosager Ludvigsen — Research Associate at University of Newcastle, and PhD student at University of Strathclyde, UK
Kaspar is a Danish lawyer who initially worked as a high-ranking civil servant in Denmark before joining the Department of Computer & Information Science at the University of Strathclyde as a PhD student. His PhD concerns the mutual influences of cybersecurity and law, in an interdisciplinary manner. He is published articles concerning Medical Devices, Computational Law, Supply Chain Security, Client-side Scanning, AI, and concerns about the Cyber Resilience Act.
Kaspar is officially cited and used by the EU for his feedback to the European Commission, specifically regarding the CRA, and follows all legislation that regulates or otherwise affects cybersecurity closely, both in the EU, but also the UK and the US.
Hans-Petter Fjeld — Senior security analyst at Defendable
Hans-Petter has 10+ years of experience in incident handling, vulnerability management, cloud security, and security operations. He has made significant contributions to the Norwegian FLOSS community as the former head of the Norwegian Unix User Group (NUUG) and co-founder of Hackeriet, a hackerspace in Oslo.
Salve J. Nilsen — Host, and Senior Software developer at GlobalConnect
Salve has 20+ years worth of various contributions to the CPAN, Perl and Raku communities. He's a founding member of Hackeriet and Oslo Perl Mongers, and until recently, ISOC Norway's chairman.
Links and resources
New EU Cyber Security Regulations are coming – Will Open Source survive?