|
The CRA is intended to protect the EU from pooling all its critical eggs in too few baskets, especially if those baskets are not EU based companies. I'm not sure what duplex does, but I'll use AWS or Azure as an example. This is where a lot of our critical software, like stuff that operates our public sector, banking and what not is put, because that's basically where everything is put these days. With the CRA, the EU is going to identify a range of businesses of a certain size, I work for one such business since green energy production is critical, and potentially demand that half of us leave Azure within 3-6 months because the EU can't function if Azure somehow becomes hostile to us. As with the GDPR, this actually has very little to do with software or development itself. It mostly have to do with bureaucracy, so we're not expected to build things that can take us out of Azure and put os into X, not technically, but we are required to plan for the eventuality and to get those plans audited. As I see it, it will be on your customers to handle these audits, not you, and it's not a contingency that is likely to ever actually happen, unless America goes full Right Wing populist, which frankly seems less likely than the EU doing it judging by this years elections. Anyway, where this will become sort of an issue in regards to open source software and actual development, as the article points out, is when too many companies rely on the same business critical piece of software. I'm not sure I agree that this will be such a big issue, however, as most organisations that I know of tend to in-source the most vital open source projects exactly because it's too dangerous to rely on some random person. We've done this our selves. We needed an ODATA package for TypeScript projects, and while there were a few options out there, none of them were great. Some of them would've been "good enough", sort of, but they were either maintained by one or two people or not at all. So instead of using these, we wrote our own. Which is frankly how I suspect a lot of Open Source projects happen, because while you can use GORM as your GO ORM and where we could have used one of these packages and even made it better, it was simply easier to make our own. The CRA doesn't really change this, however, at least not if you're already taking security seriously. I personally think the only area that will actually be interesting to follow the CRA on is what the EU intended to do with all the public sector smartphone Apps. Here in Denmark we can have things like our drivers licence in apps, but these apps are only available through either Google or Apple, and those aren't European companies. :p For everything else, I think this will mostly be bureaucracy, bureaucracy, bureaucracy, which is sort of fine, because as the GDPR has shown us, not every organisation can be trusted to do security that impacts the EU. |