On September 15, 2022, the European Commission published a draft law called the Cyber Resilience Act (CRA), which aims to improve the security of hardware and software products. The proposal defines „standard metrics“ for evaluating the safety of projects. It communicates the security status of each project to users in a simple way. A CRA “approval” would be the equivalent of a „CE“ mark on software products.
However, if applied as written, the bill could make authors of free and open source (FOSS) projects legally and financially responsible for how their projects are used within others‘ commercial projects. This is a problem since Open Source software is, by definition, distributed „as is,“ with no guarantees, thus relieving authors of any liability.
We suggest that the bill needs to distinguish between independent authors in a voluntary capacity and technology giants selling products or services. Under the currently proposed bill, if I develop a logging library and make it Open Source, Company X could use it within its product without giving me anything in return. If a vulnerability is discovered in my library, I would be legally and economically liable for the damages suffered by that company.
More generally, the idea behind free software and open licenses is to make software accessible, freely modifiable, and redistributable. Suppose a for-profit company adopts open source software to perform its functions or services. In that case, it should be the company’s responsibility to secure that software and, depending on the license, redistribute it or not with its own improvements.
The proposed law could be a strong disincentive for both authors and contributors to open source projects. Specifically, Article 16 of the proposed law states that „one who applies substantial changes“ to a project is considered equal to the author in terms of liability. However, the meaning of the phrase „substantial changes“ is unclear, which makes the proposed law even more problematic.
The risk is that the proposed CRA law could block innovation in the field of open source software and damage the economy of the entire country. Therefore, it is essential to raise awareness among the public and relevant authorities about the possible adverse effects of the proposed CRA law and to try to find solutions that protect both authors and users of open source software.
Since September 2022 the European FOSS community has been monitoring debate around this topic, while the European Parliament and the European Commission worked on the CRA draft.
On July 19, 2023, the draft regulation presented by the European Commission was approved with amendments by the European Council (chaired by Spain) and, in parallel, by the European Parliament. The adoption of these two proposals allows the start of inter-institutional negotiations between the Council and the European Parliament (the so-called trialogue) for the adoption of the final text. The trialogue is expected to take place in September, and the regulation’s final adoption could occur shortly afterward.
Linux Professional Institute (LPI) will host an online roundtable discussion on the Cyber Resilience Act (CRA) on October 3rd. This roundtable discussion will provide an opportunity to raise awareness of the potential risks of the CRA and to discuss possible solutions.