The Cyber Resilience Act: Life Jacket or Weighted Vest?: Regulatory Uncertainties when Integrating Free and Open-Source Software and Balancing Regulatory Burdens for Manufacturers and Innovations from Free and Open-Source Software
2026 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE credits
Student thesisAlternative title
Cyberresiliensförordningen: Flytväst eller viktväst? : Regulatorisk förutsebarhet vid integrering av fri- och öppen källkod samt balansering av regelbördor för tillverkare med innovationer från fri- och öppen källkod (Swedish)
Abstract [en]
The EU faces extensive cyberthreats in which products with digital elements (PDEs) constitute a weakness in the interconnected society. To face these challenges the EU has introduced the Cyber Resilience Act (CRA). The CRA holds a comprehensive regulatory approach as it applies horizontally to all PDEs and imposes various obligations on manufacturers. Simultaneously, the widespread use of Free and Open-Source Software (FOSS) presents significant challenges. FOSS refers to a specific type of software which is community driven and can be accessed, modified, and redistributed for free. The FOSS community is underfunded resulting in frequent cybersecurity vulnerabilities. This is particularly problematic considering FOSS components are often integrated into commercial PDEs, constituting weaknesses in supply chains. The widespread use of FOSS entails that a single vulnerability can be exploited simultaneously across multiple entities, potentially causing far-reaching damage. This thesis examines whether the CRA adequately addresses cybersecurity vulnerabilities originating from FOSS while balancing regulatory burdens for manufacturers and innovations from FOSS.
Furthermore, the thesis examines if provisions regarding the integration of FOSS components in commercial PDEs provide sufficient regulatory certainty for manufacturers. The thesis provides both descriptive and critical analysis of the regulatory burdens imposed on manufacturers while evaluating the reasonableness of these obligations. The thesis focuses in particular on the "commercial activity criterion" and the due diligence requirement. The thesis concludes that there are regulatory uncertainties relating to these provisions, especially regarding the term "intention to monetize" within the "commercial activity criterion" which creates interpretative challenges. Similarly, the due diligence requirement lacks clarity regarding both what mandatory measures manufacturers must undertake and at what point this obligation is considered fulfilled. Furthermore, the analysis reveals that the CRA in its current form relies largely on standards that have not yet been fully formulated, creating implications which may threaten both the existence of FOSS and the implementation of the CRA.
Place, publisher, year, edition, pages
2026. , p. 56
Keywords [en]
CRA, FOSS, Cyber Resilience Act, Cybersecurity, PDE, Products with digital elements, Free and Open-Source Software, Commerciality, Due diligence, Commercial Activity Criterion, Vulnerabilities, Regulatory burdens for manufacturers
Keywords [sv]
Cyberresiliensförordningen, Fri- och öppen källkod, Digitala produkter, Cybersäkerhet, Uppkopplade produkter, Kommersiell aktivitet, Regelbördor för tillverkare
National Category
Law
Identifiers
URN: urn:nbn:se:liu:diva-223259ISRN: LIU-IEI-FIL-A--26/05191--SEOAI: oai:DiVA.org:liu-223259DiVA, id: diva2:2055432
Subject / course
Master Thesis in Commercial and Business Law
Supervisors
Examiners
2026-05-042026-04-242026-05-04Bibliographically approved