Thirteen entities and companies dedicated to open source have published an open letter, in which call on the European Commission to reconsider various aspects of his proposed Cyber Resilience Lawsince they point out that it would have a negative effect on the development of open source software if it is implemented in the format it currently has.
Among the organizations that have promoted this letter are the Eclipse Foundation, the Linux Foundation Europe and the Open Source Initiative (OSI), and in addition to pointing out that it would affect open source development, they also point out that the law, as it is currently written, «represents an unnecessary economic and technological risk for the European Union«.
Another purpose of this letter, it seems, is to give the open source community a greater say in the evolution of the law as it progresses through the European Parliament. Among other things, its signatories point out their concern «because the majority of the open source community has been underrepresented during the development to date of the Cyber Resilience Act, and they want to ensure that this is remedied throughout the legislative process by lending our support«,
In addition, the entities remind that «open source software represents more than 70% of the software present in Europe in products with digital elements. Still, the community does not have the advantages of an established relationship with the co-legislators. The software and other technical artifacts produced by us are unprecedented in their contribution to the technology sector, as well as to our digital sovereignty and the economic benefits associated with many nivelkes. With the CRA, more than 70% of software in Europe will be regulated without in-depth consultation«.
Presented for the first time last September, the Cyber Resilience Law aims to collect in a law the best cybersecurity practices for connected products sold in the EU. The law is designed to be able to get a tough hand on hardware and software manufacturers so that their products are robust and stay up to date with the latest security enhancements.
Fines for not complying with its rules can reach 15 million euros, or equal to 2.5% of the global revenue of the sanctioned company. The process that will lead to its approval in the future, something that will not be immediate, is still taking its first steps, and despite this, it has already alarmed the open source community.
It is estimated that between 70 and 90 percent of the software components of many products are open source, from browsers to servers. Furthermore, many open source projects are the product of independent developers working in their spare time.
For this reason, the intentions of the CRA to extend a software self-certification system to the entire territory of the union, according to which all software developers will have to ensure that their programs are correct and up-to-date, could slow down open source development. for fear of contradicting the new law.
In fact, the draft law, as it stands, already addresses some of these concerns. As said draft states “In order not to impair innovation and research, free and open source software developed or provided outside of the course of a commercial activity will not be covered by this regulation. This is for software, including its modified versions and its source code, that is shared openly and is freely accessible and usable, and that can be modified and redistributed«.
However, the language with which it is written in this case, and others like it, has aroused concern in the open source sector. Although the text seems to exempt non-commercial open source software from the rule, trying to define what this concept is is not an easy task. Among other things, because developers frequently create and maintain open source in various paid and free contexts, which can include software in academic, NGO, government and even business sectors.
So that open source software is not affected by this law, you cannot charge for maintaining it or providing technical service, and many NGOs and various entities often offer paid consulting services as technical support for their open source software. In addition, developers often receive grants, awards, and other forms of financial support for their work.
It is not clear if this would be affected by the law, and it should be clear that it should not be: there need to be exceptions. For example, according to several experts, it would be solved if the law focuses on finished products and not on the activities related to them, and that if a product is not paid or subscription-based, it should be exempt.