EU Cyber Resilience Act

[wlandau]

In today's R Repositories WG meeting, we discussed the new EU Cyber Resilience Act. The R Consortium and Linux Foundation are working on specific requirements for software stewards such as maintainers of CRAN, Bioconductor, and R-multiverse to ensure compliance. Apparently, the requirements will center on (1) transparency about processes, and (2) prevention of malware. All R package repositories will apparently need to comply by October 2027 or else they will not be able to distribute packages in the EU.

[wlandau]

More information from Terry Christiani, Director of the R Consortium:

Here is a link to the EU Cyber Resilience Act fact sheet: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-factsheet

The Linux Foundation is working to finalize a process for "Software Stewards" (a distinct class of software distributors that are open source - not commercial software distributors) to ensure that our repositories and mirrors are meeting the law's requirements and we can continue to distribute R packages after the law goes into effect in October of 2027.

I will continue to liaise with the LF and bring the recommendations back to the repositories group.

Lawrence will meet with R-Core and bring back their needs to the repositories group so we can all figure out how best the RC and our member sponsors can help support the work.

[wlandau]

From @llrs: https://github.com/orcwg/cra-hub/blob/main/faq.md

[wlandau]

c.f. https://openssf.org/public-policy/eu-cyber-resilience-act/