A reprieve for open source?

The EU has already introduced a number of laws to strengthen cybersecurity in the past - including NIS-2 and the Cybersecurity Act. Now the Cyber Resilience Act has been added. And this is basically a good thing. Manufacturers, distributors and importers would have to comply with security guidelines for the entire lifecycle and all uses of software, and provide security updates, for example. In other words, the CRA is a CE mark for software that must be updated with every stable release. But there is a big catch.

The draft explicitly excludes open source software, but only if it is not used for commercial activities. The vague wording leaves a lot of room for interpretation, which has led to anger in the open source community. Organisations such as the Open Source Business Alliance, Bitkom and the Eclipse Foundation have voiced their concerns and proposed improvements. The FileZilla project recently disabled all downloads for a day in protest.

The open source community is rightly concerned about developments in Brussels. Companies that violate the CRA's requirements could face fines in the millions. And in general, the CRA in its original form would have devastating consequences: Software vendors would be at maximum risk because they could control customers with existing contracts, but not those who freely download and reuse open source software. In addition, lawyers would be able to construct damage scenarios and use cease-and-desist letters to force smaller vendors out of the market. The result would be that companies would stop all open source activities and switch to proprietary, closed software.

And that, in a nutshell, would be the death knell for open source in Europe and a significant weakening for small and medium-sized enterprises. Open source projects contribute between €65 billion and €95 billion annually to the EU economy, so there would be a huge gap. The diversity of the European software industry would be threatened, and the IT giants would benefit and gain even more market dominance. What we have painstakingly built up over the years with subsidies and taxpayers' money could be lost in one fell swoop. If we fail to preserve an independent IT infrastructure, the dream of digital sovereignty on our continent will also be over. In this case, it would even be wise to take a leaf out of the US's book. Its current 'National Cybersecurity Strategy' explicitly states that open source developers will not be held liable for commercial products.

The fact that we are at all at this point, having to stress the great benefits of open source, is an annoying evil. Not long ago, the German government agreed in its coalition agreement to strengthen the open source sector. And projects like Gaia-X have raised hopes that we are on the way to a strong European IT infrastructure. Millions have been invested, and now it may all have been for nothing.

But not all hope is lost. The draft Cyber Resilience Act has gone through several stages and adjustments. Most recently, the European Parliament, or more specifically the Committee on Industry, Research and Energy (ITRE) and the Committee on the Internal Market and Consumer Protection (IMCO), considered the CRA. While the ITRE is sticking to most of the points, the IMCO has taken a much more positive stance on the issue of open source. Further negotiations are likely to take place in September between the Parliament, the Commission and the Council of the European Union.

I hope that the talks will ultimately lead to a good outcome for the open source community.

If the directives remain in place, not only will countless livelihoods be threatened, but it will also be a massive step backwards for Europe. This is at a time when we need a strong and sovereign single market more than ever, to avoid being left behind by the rest of the world. Although there would be a transition period of several years, it would be little more than a reprieve.

Hopefully we will be spared that.