European Cyber Resilience Act [Discussion]

I recently read an post by the main curl developer about his troubles with a bogus CVE which was categorized as critical. The CRA&#x27;s requires disclosing all vulnerabilities within 24h to a government agency. If your product uses any number of well known open source packages, there will always be new CVEs, most of which will probably not affect the security of the end product. I can&#x27;t even imaging the burden it will place on companies, to have to justify whether or not each new &quot;vulnerability&quot; is or not relevant in front of a government body.<p>I suspect many will opt to use lesser known, proprietary components which are probably less secure but have less vulnerabilities reported.

It seems to apply only to &quot;products with digital elements&quot;:<p>&gt;&gt;This Regulation ensures a high level of cybersecurity of products with digital elements. It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions. [Directive XXX&#x2F;XXXX (NIS2)] puts in place cybersecurity and incident reporting requirements for essential and important entities, such as critical infrastructure, with a view to increasing the resilience of the services they provide. [Directive XXX&#x2F;XXXX (NIS2)] applies to cloud computing services and cloud service models, such as SaaS. All entities providing cloud computing services in the Union that meet or exceed the threshold for medium-sized enterprises fall in the scope of that Directive<p>Does anyone know what the other directives that are referred to here might be (currently just XXX&#x2F;XXXX)? Are they directives that are also still under development?

Link to the main text of the CRA: <a href="https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02&#x2F;DOC_1&amp;format=PDF" rel="nofollow noreferrer">https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;resource.html?uri=cellar:864f472b-...</a>

One of the best parts is that it will force companies to start taking secure code seriously, thanks liability.