Tech Gadget Central Latest Tech News and Reviews
sliderThe proposed legislation also creates ‘an unwarranted economic and technological risk to the EU’.
The European Commission (EC)’s planned Cyber Resilience Act (CRA) will “chill” open source software development, according to an open letter from over a dozen open source industry groups.
The Eclipse Foundation, Linux Foundation Europe, and Open Source Initiative (OSI) are among 13 organizations who say the Cyber Resilience Act “poses an unnecessary economic and technological risk to the EU.”
The letter appears to give the open source community more influence over the CRA’s development in the European Parliament.
Letter reads:
We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act to date, and wish to ensure this is remedied throughout the co-legislative process by lending our support. Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators.
The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation.
Early phases
The Cyber Resilience Act, first proposed in September, seeks to legalize optimal cybersecurity practices for linked EU products. Internet-connected hardware and software makers, such as those that make internet-enabled toys or “smart” refrigerators, must ensure their devices are secure and up-to-date.
Non-compliance penalties might reach €15M or 2.5% of global turnover.
The Cyber Resilience Act, which has yet to become law, has raised concerns in the open source community. Many open source projects are produced by individuals or small teams in their own time, but 70-90% of current software products, from web browsers to servers, use open source components. Thus, the CRA’s plans to expand the CE marking self-certification system to software, requiring all developers to attest to their product’s quality, could restrict open source development for fear of violating the new law.
The draft legislation addresses some of these concerns. It states:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
However, open source developers are concerned about the language. The text seems to exclude non-commercial open source software, although defining “non-commercial” is difficult. In a blog post last month, GitHub policy director Mike Linksvayer observed that engineers “create and maintain open source in a variety of paid and unpaid contexts,” including corporate, government, non-profit, academic, and more.
Linksvayer noted that non-profit groups provide technical support for open source software through paid consultation. Developers increasingly obtain sponsorships, grants, and other financial backing. Open-source needs a different exemption.”
It’s all about language—clarifying that open source software creators won’t be held accountable for security issues in downstream products that employ a component.
“Focusing on finished products can improve the Cyber Resilience Act,” Linksvayer said. “Open source software should be exempt if it is not sold.”
Chilling effect
Open source software is a recurring worry as European rules increase. The EU’s planned AI Act, which regulates AI applications based on risk, is similar to the CRA’s difficulties. GitHub CEO Thomas Dohmke recently said that open source software developers should be exempt from that legislation when it takes effect since it could increase legal liability for general purpose AI systems (GPAI) and empower well-funded major tech businesses.
The open source software community feels their voices are not being heard on the Cyber Resilience Act, which could have a big long-term impact if not changed.
“Our voices and expertise should be heard and have an opportunity to inform public authorities’ decisions,” the letter states. “If the CRA is implemented as written, it will chill global open source software development, undermining the EU’s own expressed goals for innovation, digital sovereignty, and future prosperity.”
The Eclipse Foundation, Linux Foundation Europe, Open Source Initiative (OSI), OpenForum Europe (OFE), Associação de Empresas de Software Open Source Portuguesas (ESOP), CNLL, The Document Foundation (TDF), European Open Source Software Business Associations (APELL), COSS – Finnish Centre for Open Systems and Solutions, OSBA, COSS, OW2, and Software Heritage Foundation are all signatories.
