Standards, guidelines and laws govern the world. However, few places embody that reality better than the digital realm. With new and hybridized attack pathways proliferating rapidly, countries are updating their cybersecurity laws to keep pace.

TheCUBE goes live with cybersecurity insights at Open Source Summit NA.

Where do these shifting grounds leave open-source developers? And how can they stay ahead, adhering to these laws without compromising the pace of innovation?

“We’re focused on improving open source and supply chain security for everybody, and everybody is a subset,” said Crob Robinson (pictured), chief security architect of OpenSSF. “Europe is part of that subset, and they just recently released a new law called the Cyber Resilience Act that is going to have some pretty far-reaching consequences across the whole globe, honestly, and the tech ecosystem especially.”

Robinson spoke with theCUBE’s Paul Nashawaty at Open Source Summit NA, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the pressing need for devs, vendors, CIOs and other stakeholders to leverage available tools to stay compliant, build secure software and thrive in today’s regulated landscape. (* Disclosure below.)

New cybersecurity laws are a global wake-up call

The EU’s Cyber Resilience Act, or CRA, is poised to reshape the open-source and enterprise software landscape. With mandatory compliance kicking in by December 2027, organizations that ignore it risk losing access to Europe, the world’s third-largest market. Importantly, however, this is not just a European issue. Countries such as India, China, Australia and the U.K. are crafting similar legislation, and the U.S. is enforcing cybersecurity standards through procurement rules, according to Robinson.

“There’s some newer concepts like software bill of materials, but this is something that cybersecurity people are very familiar with,” he said. “Now, for upstream open-source developers, this is not necessarily anything they’ve ever had any exposure to — and there’s a lot of fear. Our mission is to provide education and awareness on what the facts of the law are and what actions you’re going to need to take. But the burden of compliance falls on manufacturers.”

These manufacturers often rely on open-source components, making secure-by-design development and transparency mission-critical. Failing to comply isn’t just an inconvenience — it’s potentially catastrophic. Under the CRA, companies found negligent in a data breach could face fines of up to 2.5 times their annual revenue per infraction, according to Robinson.

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of Open Source Summit:

(* Disclosure: The Linux Foundation sponsored this segment of theCUBE. Neither The Linux Foundation nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE