Why does the Cyber ​​Resilience Act concern open source software developers?

Listen to the audio version of the article

More than a dozen foundations, associations and organizations developing open source software have published an open letter asking the European Commission to reconsider some aspects of the Cyber ​​Resilience Act . According to actors such as Eclipse Foundation, Linux Foundation Europe and OSI, if the text is not changed it will have a “deterrent effect” on the entire open source community.

What is the Cyber ​​Resilience Act?

The Cyber ​​Resilience Act is a legislative proposal aimed at introducing security requirements for devices interconnected via the Internet. The maximum fines provided for by law can reach 15 million euros or 2.5% of the annual turnover, whichever is higher. The standard is designed to make products such as connected appliances and toys safer, and to do so requires software and hardware manufacturers to be responsible for security updates.

Why is the open source community in alarm?

Open source licenses provide that the source code of a project can be used freely even within commercial platforms. It is estimated that open source components make up between 70 and 90% of software products. Many open source projects are developed by small non-profit teams. As the Python Software Foundation (PSF) explains, the standard as it is currently written could compromise the development and distribution of open source software in Europe, because it would make open source organizations and individuals liable for the distribution of code that turns out to be unsafe . In other words, if the CRA were to extend the CE marking self-certification system, anyone could be held responsible for a vulnerability present in free software and its consequences.

Financial size issue.

The question must be seen within the economic context of these subjects because clearly there is a big difference between Google’s Android and small organizations, both in financial and operational terms. Furthermore, according to the way the Cra is written, the alpha and beta versions of the software would also be at risk. Today, much free software lends itself to constant revision. According to the associations, the ability to analyze the source code makes these software safer because they are more controlled by the community. Furthermore, there is also a problem on the AI ​​front. As The Verge writes, quoting GitHub CEO Thomas Dohmke, “open source software developers should be exempt from the scope of such legislation when it comes into force, as it could create burdensome legal liabilities for artificial intelligence systems (GPAI) and empower large, well-funded companies.

The new text of the Cyber ​​Relilience Act

However, according to the new text, the Cyber ​​Resilience Act would apply only to products launched on the EU market to generate earnings beyond maintenance costs, thus limiting the scope of application of open source software. However, the language could lend itself to interpretation and for this reason the open source community asks to be taken into consideration to rewrite the standard more clearly. There is time. Public consultations will end on May 25, then the text will pass to the European Parliament which will be able to start amending the Commission’s proposal.