Cyber Resilience Act (CRA)

28/07/2023
 

A reprieve for open source?

CYBER RESILIENCE ACT (CRA) & PRODUCT LIABILITY DIRECTIVE (PLD)

In the last few months, the EU has introduced various bills to better protect users of hardware and software. Specifically, these are the AI Act, the Product Liability Directive and the Cyber Resilience Act (CRA). The latter, in particular, also poses great risks for the open source community and Europe.  

Rico Barth, Managing Director of KIX Service Software and board member of the Open Source Business Alliance, reports.

The EU has already introduced a number of laws to strengthen cyber security in the past - including NIS-2 and the Cybersecurity Act. Now the Cyber Resilience Act has been added. And this is essentially a good thing. Manufacturers, distributors and importers would have to comply with security guidelines for the entire life cycle and all uses of software and provide security updates, for example. Or to put it another way: the CRA is a CE logo for software that has to be updated for every stable release. However, there is one big catch.

While the draft explicitly excludes open source software, it only does so if it is not used for commercial activities. Due to the vague wording, there is a great deal of room for interpretation here, which has caused displeasure in the open source sector. Organisations such as the Open Source Business Alliance, Bitkom or the Eclipse Foundation have voiced their concerns and proposed improvements. The FileZilla project recently even deactivated all downloads for a day in protest.

Death blow for open source in Europe

The scene is rightly looking at the developments in Brussels with worry lines. Companies that violate the requirements of the CRA must expect fines in the millions. And in general, the CRA in its original form would have devastating consequences: Software producers would be subject to maximum risk because they could control customers with existing contracts, but not those who freely download and reuse the open source software. In addition, lawyers could construct damage scenarios and thus force smaller manufacturers out of the market by issuing warning letters. The consequence would be that companies would stop all open source activities and switch to proprietary, i.e. closed software. 

And that would be, in short, the death blow for open source in Europe as well as a considerable weakening for small and medium-sized enterprises. Open source projects contribute between 65 and 95 billion euros annually to the EU economy, so there would be a gigantic hole here. The diversity in the European software industry would be endangered, the IT giants would be the beneficiaries and gain even more market dominance. What we have painstakingly built up over years with funding and tax money could be lost in one fell swoop. If we do not manage to preserve an independent IT infrastructure, the dream of digital sovereignty on our continent will also be over. In this case, it would even be advisable to take the USA as a model. In the current 'National Cybersecurity Strategy', it is explicitly stated there that open source developers will not be held liable even for commercial products.

HOPE DIES LAST

The fact that we are at this point at all and have to emphasise the great advantages of open source is a troublesome evil. It was not long ago that the German government agreed in its coalition agreement to strengthen the open source sector. And projects like Gaia-X have also raised hopes that we are on the way to a strong European IT infrastructure. Millions have been invested, and now it might all have been in vain.

But not all hope is lost. The Cyber Resilience Act bill has gone through several stages and adjustments. Most recently, the European Parliament dealt with the CRA, more precisely the Committee on Industry, Research and Energy (ITRE) and the Committee on Internal Market and Consumer Protection (IMCO). While the ITRE adheres to most of the points, the IMCO has taken a much more positive position on the issue of open source. Further negotiations are likely to take place in September between the Parliament, the Commission and the Council of the European Union.

I hope that the talks will ultimately have a good outcome for the open source community.

If the guidelines were to remain in place, not only would countless livelihoods be threatened, it would also be a massive step backwards for Europe. And this in a situation in which we need a strong and sovereign single market more than ever before in order not to be left behind by the rest of the world. Although there would be a transition period of several years, this would be little more than a reprieve.

Hopefully we will be spared this.

Rico Barth, CEO

‹ back

Contact

The mandatory fields marked with "*" are essential for contacting us.

Callback

The mandatory fields marked with "*" are essential for contacting us.