Microsoft vs Linux – Trade-Offs and the Impact of The Cyber Resilience Act

For many computer users, the choice of operating system (OS) is not a consideration. New laptops come bundled with either Windows or Mac OS, or corporate IT policy mandates (usually) Windows and company machines are locked down. Software developers, other professional users and serious hobbyists, however, have very different requirements for an OS and need features and levels of access that do not apply to the average business or home user.

Due mainly to their respective origins, traditional wisdom is that Windows is for normal users while Linux is for professionals, but this position is no longer true as both systems have evolved and continue to do so. This article looks at the benefits and downsides of each OS and also considers how the EU’s upcoming Cyber Resilience Act, (CRA), may affect decision makers.

Windows and Linux – origins and evolution

First introduced in 1983 by Microsoft, Windows is a user-friendly OS, featuring an intuitive graphical user interface and wide compatibility with hardware and software. Windows was designed to simplify the user experience for PC users of all skill levels, making it popular for general use in the home and office. Linux, on the other hand, has its roots in the scientific and engineering community, being derived from the proprietary Unix OS. As opposed to Windows, Linux is an open-source system, which can legally be installed free of charge on any computer and has always been aimed at development environments, allowing much higher levels of access and customisation than Windows.

For many years, Windows was the world’s biggest selling OS but has lost ground in recent years as Android, a mobile OS which uses the Linux kernel, has dominated the market for mobile devices. As of April 2024, Android is the world’s most widely used OS, with 43.35% global market share, followed by Windows at 28.24%, iOS at 17.77%, macOS at 5.65%, and Linux at 1.5%. These headline figures, however, do not reflect the market segmentation of the various systems. While Android may have the biggest market share, Windows still very much dominates the desktop market, with over 73% share, while Linux dominates the supercomputer market and also leads the way in web servers, embedded systems and IoT applications.

General Comparison of Windows and Linux

Cost

As discussed above, Linux is typically free to download, use, modify and distribute, and a large proportion of software available for Linux is also free of charge. In contrast, the Windows OS requires a license for most editions, with costs varying depending on the version and usage rights. Free editions of Windows, such as Windows 10 Home, are available, but certain features and functionalities may be restricted or require additional payments. Additionally, much of the commercial software available for Windows also incurs a cost.

Support

The two OS have quite different support models. Windows is backed by Microsoft, with extensive official support and resources available, both within the system and online. Its high market share ensures compatibility with a wide range of hardware and software products. Linux support is based on collaboration, troubleshooting and knowledge sharing within the extensive user community with answers to problems available in online forums and Wikis.

Architecture

Architecturally, the two OS are also quite different. With Windows, most of the OS functionality is consolidated into a monolithic kernel, which operates in privileged mode. While this design underpins Windows’ efficiency and user-friendliness, it also makes the OS more susceptible to errors and vulnerabilities. Linux’s flexibility and high degree of customisation is based on a modular kernel, with a core microkernel responsible for the fundamental OS tasks. Other functionalities are executed by loadable modules which run in unprivileged mode.

Code on screen: Windows vs Linux

Figure 1: Windows and Linux have very different support models

User Interface and Experience

Windows’ user friendliness is based on its intuitive graphical user interface (GUI), which is consistent across versions, making it easy and familiar for end users. Interaction with Linux is primarily based on a command-line interface (CLI), which uses text commands and prompts to display and manipulate information on the screen. While a variety of GUIs are available for its users, Linux does not have the same consistency across its different distributions. The GUIs must be downloaded and customised by the user, which can be challenging.

The above pros and cons are general observations and may vary depending on specific use cases, applications, and individual preferences. Factors such as project requirements, available software, budget and target audience will dictate the suitability of one OS over the other. For example, many enterprise software development operations, (DevOps) rely on open-source software to reach their goals, and Linux gives developers access to a plethora of tools and packages which can be combined with their own software components. Also, for many years Linux has been the OS of choice for developers of embedded systems and IoT devices, working with RISC hardware architectures, such as the popular ARM families of processors, to create powerful and energy efficient devices. Windows, on the other hand, provides a suitable environment for enterprise users, with access to a wide range of commercial software, a well-developed support network and readily available, skilled resources.

The Cyber Resilience Act

The Cyber Resilience Act, (CRA), was approved by the European Parliament in March 2024 and is currently awaiting formal adoption by the European Council. This new framework is designed to tackle the growing risks associated with non-critical and critical devices, including non-critical devices which might interact with critical infrastructure. The goal is to address security vulnerabilities and risks posed by digital products, including IoT and smart devices, by addressing hardware and software.

The framework sets forth stringent requirements that manufacturers must meet in order to gain access to the European market. Manufacturers must prioritise cybersecurity during the design and development of products, ensuring they are secure from the outset and free from vulnerabilities. Products must undergo thorough security testing and vulnerability assessments, with a traceable development process, and manufacturers must provide regular security updates and patches throughout the product’s lifespan.

CRA Compliance

While the CRA has a wide scope, many of its requirements are consistent with established best practices or frameworks, such as the EU Cybersecurity Act (CSA). Therefore, its emphasis is on enforcing rules and ensuring compliance rather than redefining security practices. The CRA incorporates a classification system to categorise products according to their cybersecurity risk. Higher classes indicate a greater risk, necessitating heightened compliance requirements. The three main categories are:

  • Default (Non-Critical): The lowest risk category includes everyday products with digital components, such as photo editing software, smart speakers, and hard drives.
  • Critical Class I (Lower Risk): These are items that come with a higher level of risk and include items such as firewalls, password managers, and network interfaces.
  • Critical Class II (Higher Risk): The items in this category are of utmost importance and carry a significant level of risk. They often handle sensitive data or interact with critical infrastructure. Examples include OS for servers, industrial firewalls, or hardware in critical infrastructure.

The classification system determines the cybersecurity compliance level, with 90% of products falling under the default category, which has the least stringent requirements. For Default compliance, manufacturers will self-assess security, write an EU declaration of conformity, and provide technical documentation. In Class I, there will be an increase in workload and manufacturers will need to perform more thorough security assessments, adopt specific security measures such as secure coding practices, and keep detailed documentation. Third-party audits may also be required to ensure compliance. Class II products will need to undergo thorough security assessments and implement stringent security measures, such as penetration testing, secure coding practices, incident response plans, and regular third-party audits.

EU Cyber Resilience Act

Figure 2: The Cyber Resilience Act, (CRA), aims to address the increasing security vulnerabilities and risks associated with digital products

It is important to remember that CRA is also product based. This means that while it is possible for all individual components in a product to be on their own CRA compliant, developers must provide evidence that their final combined product is also compliant.

CRA and Open-Source

This classification system aims to streamline regulations and focus on stricter security measures on products that truly need them. However, there are lingering concerns regarding open-source solutions, such as Linux. Early versions of the Act have raised apprehensions about the impact on the open-source model. Many are worried that it could impose an unmanageable burden on developers, who may struggle to comply due to limited resources.

In response to feedback from the open-source community and recognising the importance of open-source to innovation and the EU’s goal of digital sovereignty, revised legislation introduced a new economic actor, the “open-source steward”. An “open-source steward” will have the responsibility of supporting and maintaining any open-source software under its jurisdiction, ensuring that it stays secure and functional for operational use. While the concept is new and it remains to be seen how the open-source community will adopt it, this modification to the CRA is an indicator of the EU’s understanding of the economic importance of open-source.

Windows or Linux?

As with any business software decision, the choice between Linux and Windows will be based on many factors. While upfront licensing costs may appear to weigh against Windows for many applications, the total cost of ownership includes setup and development costs and may include the need to hire specialist resources. The characteristics of the application are also important. The main strengths of Linux have been in development environments, while Windows has historically aimed at the general user, in the home or the office. As the IT environment continues to evolve, however, the picture blurs as each OS encroaches on the space of the other, as with web services and embedded devices. The decision will ultimately be influenced by the familiarity and expertise of in-house developers and engineers, along with the range of software tools and libraries already in use.

Impact of CRA

Security is a critical consideration, and the CRA will add an extra layer of consideration for many manufacturers. Linux has traditionally been regarded as more secure than Windows, partly due to its OS design providing less attack surface and also because the larger user base of Windows makes it more targetable for threat actors.

Demonstrating compliance with the CRA may be more straightforward when utilising the proprietary Windows system as opposed to the open-source Linux. Windows comes preloaded with comprehensive and standardised security practices, featuring a mature security ecosystem that includes a range of security tools, and as a result, this can streamline compliance for manufacturers, especially when dealing with Class II systems.

Equally, while Linux’s open-source nature fosters a community that constantly scrutinises and improves security, compliance for some manufacturers might be more complex due to the diverse nature of the Linux landscape. For example, a small company creating a highly customised Linux distribution might have more challenges meeting Class I or II requirements compared with a large vendor with a well-established server distribution.

Ultimately, developers must evaluate the CRA as part of a broader evaluation that considers factors like the application’s requirements, the level of customisation needed, and the scale of deployment, when choosing between Linux and Windows. For some, Linux’s greater flexibility will be its main strength, for others it will lead to a longer path to CRA compliance, which undermines their product’s viability and in these instances developers will probably prefer Windows for its more standardised security approach. As we move forward, the CRA will play a crucial role in combating cybercrime, and for developers choosing an operating system, it will be an important factor to consider in order to ensure product success.

Simple and Cost-Effective Microsoft Windows Embedded Licensing

Microsoft provides the technologies and expertise you need to capitalize on the Internet of Things by building an intelligent system to gather, store and analyze your organization’s data. From devices on the edge of your network, to back-end systems and services, the data that flows through your enterprise will drive a new level of business intelligence. This all is made possible with the various Windows Embedded software solutions tailor-made to satisfy your business needs.

See all options
Levelled rice fields to represent scalability

Overview

Software Services

We go beyond just distributing the building blocks for your next project. Learn more about Avnet Silica's Software Services.

Code on a screen
Learn More