<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dear colleagues,<div class=""><br class=""></div><div class="">We’d like to draw your attention to a proposal put forth by the European Commission to strengthen cybersecurity rules for hardware and software products, called the Cyber Resilience Act (CRA):</div><div class=""><br class=""></div><div class=""><a href="https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act" class="">https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act</a></div><div class=""><br class=""></div><div class="">Several members of the Internet community have raised concerns over the implications of the CRA for the open-source community. In particular, Maarten Aertsen of NLnet Labs gave a presentation about the CRA during RIPE 85 and Olaf Kolkman of the Internet Society wrote an article that may be of interest: </div><div class=""><br class=""></div><div class=""><a href="https://ripe85.ripe.net/programme/meeting-plan/os-wg/" class="">https://ripe85.ripe.net/programme/meeting-plan/os-wg/</a></div><div class=""><a href="https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/" class="">https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/</a> </div><div class=""><br class=""></div><div class="">There’s an opportunity to respond to the European Commission’s proposal until (at least) 27 January 2023:</div><div class=""><br class=""></div><div class=""><a href="https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en" class="">https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en</a> </div><div class=""><br class=""></div><div class="">This is an open consultation, and we would encourage you to share your views if you have an opinion. The feedback received will be passed on to the European Parliament and Council (the member states) as they each develop their own positions on the proposal, before negotiations between the three bodies begin. </div><div class=""><br class=""></div><div class="">The RIPE NCC is currently formulating its own response to the proposal, which will include the impact we foresee the CRA having on us as an organisation, but we want to ensure that the wider voice of the technical community is also heard. </div><div class=""><br class=""></div><div class="">You can see past examples of the RIPE NCC’s submissions to open consultations here:</div><div class=""><br class=""></div><div class=""><a href="https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations" class="">https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations</a></div><div class=""><br class=""></div><div class="">Please let us know if you have any questions. </div><div class=""><br class=""></div><div class="">Best regards,</div><div class=""><br class=""></div><div class="">Suzanne </div><div class=""><br class=""></div><div class="">__________________</div><div class="">Suzanne Taylor</div><div class="">Public Policy & Internet Governance</div><div class="">RIPE NCC</div><div class=""><a href="http://www.ripe.net" class="">www.ripe.net</a></div><div class=""><br class=""></div></body></html>