More than a dozen open source industry bodies have published an open letter ask the European Commission (EC) to reconsider aspects of its proposal Cyber Resilience Law (CRA), saying it will have a “chilling effect” on open source software development if it is implemented in its current form.
Thirteen organizations, including the Eclipse Foundation, Linux Europe Foundation, and the Open Source Initiative (OSI), also point out that the Cyber Resilience Act, as written, “poses unnecessary economic and technological risk to the EU.”
The purpose of the letter, it seems, is for the open source community to get more input into the evolution of the CRA as it progresses through the European Parliament.
The letter says:
We are writing to express our concern that the broader open source community has been underrepresented during the development of the Cyber Resilience Act to date, and we want to ensure that this is resolved through the legislature process by providing our support. Open source software represents more than 70% of the software present in products with digital elements in Europe. However, our community does not have the benefit of an established relationship with the co-legislators.
The software and other technical artifacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of software in Europe is about to be regulated without in-depth consultation.
early stages
First revealed in draft of in September, the Cyber Resilience Act strives to codify into law cybersecurity best practices for connected products sold in the European Union. The legislation is designed to strengthen manufacturers of Internet-connected hardware and software, for example those that make Internet-enabled toys or “smart” refrigerators, to ensure that their products are robust and keep up with the latest software updates. security.
Penalties for non-compliance can include fines of up to €15 million, or 2.5% of global turnover.
While the Cyber Resilience Act is still in its early stages, with nothing set to become actual law in the immediate future, the legislation has already sounded some alarm bells in the open source world. Is My dear whereas open source components make up 70-90% of most modern software products, from web browsers to servers; however, many open source projects are developed by individuals or small teams in their spare time. Thus, the intentions of the CRA to extend the CE marking Software self-certification system, whereby all software developers will have to testify that their software is in good shape, could stifle open source development for fear of contravening new legislation.
He bill as it stands, in fact, it goes some way to addressing some of these concerns. He says (emphasis ours):
In order not to hinder innovation or research, Free and open source software developed or provided outside of the course of a commercial activity must not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a business can be characterized not only by the charging of a price for a product, but also by the charging of a price for technical support services, for the provision of a software platform through the which the manufacturer monetizes other services, or for the use of personal data for reasons other than exclusively to improve the security, compatibility or interoperability of the software.
However, the language as it stands has raised concerns in the open source world. While the text seems to exempt non-commercial open source software from its scope, trying to define what is meant by “non-commercial” is not an easy task. As GitHub Director of Policy Mike Linksvayer noted In a blog post last month, developers often “create and maintain open source in a variety of paid and unpaid contexts,” which can include businesses, governments, nonprofits, academia, and more.
“Non-profit organizations offer paid consulting services as technical support for their open source software,” Linksvayer wrote. “And increasingly, developers are receiving sponsorships, grants, and other forms of financial support for their efforts. These nuances require a different exemption for open source.”
So really, it all comes down to language: clarifying that open source software developers will not be held responsible for any security bugs of a later product that uses a particular component.
“The Cyber Resilience Act can be improved by focusing on finished products,” added Linksvayer. “If open source software is not offered as a paid or monetized product, it should be exempt.”
“Chilling effect”
A growing number of proposed regulations in Europe are raising concerns across the tech landscape, with open source software being a recurring theme. In fact, the issues surrounding the CRA are somewhat reminiscent of those facing the The next EU AI Law, which seeks to govern AI applications based on their perceived risks. GitHub CEO Thomas Dohmke recently opined that developers of open source software should be exempted from the scope of that legislation when it comes into effect, as it could create onerous legal liability for general purpose AI (GPAI) systems and give greater power to big tech companies well financed.
As for the Cyber Resiliency Act, the message from the open source software community is pretty clear: they feel their voices are not being heard, and if no changes are made to the proposed legislation, it could have a big long-term impact. .
“Our voices and experience must be heard and given the opportunity to inform the decisions of public authorities,” the letter says. “If the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global effort, with the net effect of undermining the EU’s expressed goals for innovation, digital sovereignty and future prosperity. ”
The full list of signatories includes: The Eclipse Foundation; Linux Europe Foundation; Open Source Initiative (OSI); OpenForum Europe (OFE); Association of Portuguese Open Source Software Companies (ESOP); CNLL; The Document Foundation (TDF); European Associations of Open Source Software Companies (APELL); COSS – Finnish Center for Open Systems and Solutions; Open Source Business Alliance (OSBA); Open Solutions and Systems (COSS); OW2 and the Software Heritage Foundation.