More than a dozen open source industry organizations have collectively published an open letter directed towards the European Commission (EC), urging them to reconsider certain aspects of their proposed Cyber Resilience Act (CRA). The participants claim that if enacted in its current condition, it will have a “chilling effect” on open source software developers.
The signatories of the open letter included the Eclipse Foundation, The Linux Foundation Europe, and the Open Source Initiative (OSI), noting in the letter that these organisations do not have an established relationship with the European legislators. They also point out that open source software is estimated to represent more than 70% of digital products across Europe, and that the CRA seeks to regulate this without any form of genuine consultation with the involved stakeholders.
The aim of the Cyber Resilience Act (CRA) is to establish best cybersecurity practices for vendors of connected products that are sold in the European Union, with potential fines of up to €15M, or 2.5% of global turnover, in the event of non-compliance. The current draft of the legislation appeared in September.
The open source community is alarmed at the regulation as it is, pushed on because it exempts “free and open source software developed or supplied outside the course of a commercial activity” from the CRA’s scope—however, this wording places a major burden on the open source developers, as they struggle to define what is meant by “non-commercial”. In some cases developers may receive sponsorships or grants, while in others they are working in corporate, government, academic, or non-profit roles.
To assuage these fears, Mike Linksvayer, the policy director at GitHub, argued that the exemption should be clarified to focus on finished products that are not available for sale or which are otherwise monetized and that if open source software does not meet this criteria, it should be excluded from the scope of the CRA.
This sentiment is echoed in the second paragraph of the letter, pushing for the voices of the open source community to be heard and taken into consideration during the legislative process. While the letter notes that legislation such as the CRA could have far-reaching benefits, they stress that open source developers should not bear the brunt of it if they are not creating or distributing commercial or monetized ROS software.
Given the sheer importance of open source software in the European Union, and its ubiquity everywhere from web browsers to servers, the letter beseeches the European Commission to recognize the value and importance of open source software development, protecting it from unnecessary economic and technological risks that could be introduced by the CRA it its current form. It also suggests that the EU should consult closely with the open source software industry bodies throughout the co-legislating process in order to take into account their distinct expertise from traditional software.
In addition to the Eclipse Foundation, Linux Foundation Europe, and Open Source Initiative (OSI), the full list of signatories also includes OpenForum Europe (OFE), Associaçāo de Empresas de Software Open Source Portuguesas (ESOP), CNLL, The Document Foundation (TDF), European Open Source Software Business Associations (APELL), COSS- Finnish Center for Open Systems and Solutions, Open Source Business Alliance (OSBA), Open Systems and Solutions (COSS), OW2 and the Software Heritage Foundation.
The letter, therefore, puts the open source community in the spotlight, pushing for a louder voice in the legislative process for long-term benefits for everyone concerned. The European Commission must keep in mind the potential risks posed by the CRA on the open source developer ecosystem, and assess the impact it could have if left unaddressed.
