The proposed legislation also poses 'an unnecessary economic and technological risk to the EU':
More than a dozen open source industry bodies have published an open letter asking the European Commission (EC) to reconsider aspects of its proposed Cyber Resilience Act (CRA), saying it will have a "chilling effect" on open source software development if implemented in its current form.
Thirteen organizations, including the Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI), also note that the Cyber Resilience Act as its written "poses an unnecessary economic and technological risk to the EU."
The purpose of the letter, it seems, is for the open source community to garner a bigger say in the evolution of the CRA as it progresses through the European Parliament.
The letter reads:
We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act to date, and wish to ensure this is remedied throughout the co-legislative process by lending our support. Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators.
The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation.
[...] Penalties for non-compliance may include fines of up to €15M, or 2.5% of global turnover.
While the Cyber Resilience Act is still in its early-stages, with nothing set to pass into actual law in the immediate future, the legislation has already set some alarm bells ringing in the open source world. It's estimated that open source components constitute between 70-90% of most modern software products, from web browsers to servers, yet many open source projects are developed by individuals or small teams in their spare time. Thus, the CRA's intentions of extending the CE marking self-certification system to software, whereby all software developers will have to testify that their software is ship-shape, could stifle open source development for fear of contravening the new legislation.
The draft legislation as it stands does in fact go some way toward addressing some of these concerns. It says (emphasis ours):
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
However, the language as it stands has prompted concerns from the open source world. While the text does seem to exempt non-commercial open source software from its scope, trying to define what is meant by "non-commercial" is not a straight forward endeavor. As GitHub policy director Mike Linksvayer noted in a blog post last month, developers often "create and maintain open source in a variety of paid and unpaid contexts," which may include corporate, government, non-profit, academic, and more.
(Score: 4, Informative) by PiMuNu on Wednesday April 19, @10:30AM
The EU is only a weak democracy - by which I mean the lower house, that sets policy, is made up of political nominees and elected people can only slow down or amend policy. This is both good - it means that there is less opportunity potentially for weird media trends to push legislation - and bad, in that the legislative process tends to have not much consultation and things can be twisted by opaque (sometimes corrupt) bureaucrats.