EU Cyber Resilience Act would harm open source software and competitiveness
If the EU Cyber Resilience Act is adopted in its present form, it would seriously harm the open source ecosystem and the competitiveness of the European economy, argues EDRi member Vrijschrift Foundation in a letter to the Dutch Parliament.
The EU Cyber Resilience Act (CRA) proposal aims to make products containing software and the software itself more secure. EDRi member Vrijschrift Foundation endorses this objective, but argues in a letter to Dutch Parliament that if the CRA is adopted in its present form it would seriously harm the open source ecosystem and the competitiveness of the European economy.
EU Council and Parliament have decided to fast-track the legislative process.
Concerns regarding open source software have not been addressed
Open source software plays a crucial role in the software world and the economy. The Dutch Minister of Economic Affairs and Climate has written to the Dutch Senate that concerns regarding open source software have been “extensively addressed” by means of a recital. The purpose of recitals is to set out concise reasons for the chief provisions of the enacting terms, without reproducing or paraphrasing them. But recitals do not make for adequate address as they do not have independent legal force.
Open source software plays a major role in the software world and the European economy.The position paper of DigitalEurope states that without changes the CRA would disrupt Europe’s ability to innovate and compete globally. The German Automotive Industry Association says that the efficient cooperation in the German automotive industry using free and open source software is crucial to its competitiveness.
The vulnerable open source ecosystem
The development of closed source software will not fall under the CRA as it is developed by one party behind closed doors. In contrast, without clarifications the development of open source software would fall under the CRA as it is developed publicly by individual developers, non-profit organisations, and corporations. This makes it a vulnerable development process by a vulnerable ecosystem. Thus, it is crucial to include within the scope of the CRA only the separate process of commercially marketing open source software.
So far, the versions of the CRA of the EU Commission, Council, and Parliament do not clearly limit the scope of the CRA. In addition to occasional counterproductive formulations, the co-legislators often put the limitations to the scope of the CRA in the Recitals, despite European Court of Justice case law that rules that recitals do not have binding legal force and cannot be relied upon as a ground for derogating from the actual provisions of the act in question.
Improve the CRA proposal in consultation with open source software organisations
Without improvements the Cyber Resilience Act would seriously harm the vulnerable open source software ecosystem and therefore the EU’s competitiveness, without making software more secure. Vrijschrift asks the Dutch Parliament to encourage that the legislative proposal is improved in consultation with open source software organisations, while keeping in mind that only articles have independent legal force.
Contribution by: Ante Wessels, analyst, EDRi member Vrijschrift Foundation