The European open source world is concerned about the potential side effects of the European Cyber Resilience Act (CRA) bill. Adoption of the bill could hinder or even freeze open source software development. Various European open source organizations have warned the European Commission (EC) in an open letter about the impact of the CRA bill on the sector. The proposal in its current form would have a crippling effect on the development of open source solutions and poses an economic and technological risk to the EU.
Open source is particularly affected due to its prevalence in currently used software. Developers are becoming too busy complying with new laws and regulations, leading to a slowdown in development. Furthermore, it is not clear which software falls under the CRA. The bill appears to make an exception for open source software that is openly shared and freely accessible, usable, modifiable and redistributable. However, the correct (legal) definition of this specific open source software is not given, making it difficult to determine which open source software qualifies. The provision of (paid) consultancy services and technical support also complicates the definition.
The CRA is intended to summarize the best cybersecurity measures for internet-connected products into a comprehensive law. Hardware and software suppliers must make their products as robust as possible and update them with the latest security updates. Failure to do so will result in fines of up to 15 million euros or 2.5 percent of annual turnover.
The European open source community is calling for more input in the development of the CRA bill to ensure that open source software is not adversely affected. They are also urging the European Commission to provide a clear definition of open source software to ensure that the bill does not impede the development of open source solutions.
