I've written about the worldwide paradigm shift in cybersecurity that is currently underway. This latest cybersecurity regulation from the EU CRA (Read More below) contains many of the "paradigm shifting changes" that are coming. Energy companies across the world will be impacted by these changes in how open-source software will be made commercially available.
I am wondering if an open-source project that is not a commercial activity, per 10(c), can bear the CE Mark identified in Article 22 of the CRA?
One additional statement from this analysis should be given serious consideration:
"Furthermore, the CRA virtually creates a new process whereby industry can come together to sponsor security documentation, attestations, audits or even security work on open source products. The European Commission is empowered to create templates and regulations for such procedures, and input from the open source community would surely be helpful to turn that into a success."
A NIST SBOM Vulnerability Disclosure Report (SBOM VDR) is one such attestation that should be given serious consideration to provide greater transparency indicating that a software vendor has indeed checked each SBOM component for vulnerabilities before releasing a product and maintain it online as changes occur AND issuing CSAF Security Advisories as new vulnerabilities are reported to warn consumers of cyber-risk, this is especially important for CISA KEV's.