As the European Union is about to initiate negotiations between co-legislators on the Cyber Resilience Act (CRA), we, the undersigned organisations and contributors to leading European open source software (OSS), herewith express our utmost concerns about the consequences of the proposed CRA, and misconceptions throughout the EU legislative process.
In this time of increasing awareness of the challenges to European open strategic autonomy, Europe needs a strong open source community supportive of SMEs, startups and scaleups, but also accountability of large corporations in increasing cybersecurity.
We deeply share the CRA’s aim to improve cybersecurity in the EU and embrace the urgent need to protect citizens and economies by improving software security.
We welcome some recent positive changes brought by the co-legislators, such as the manufacturers’ obligation to report vulnerabilities to the entity maintaining OSS.
However, should the proposal or the position of the European Parliament be adopted as it stands, the CRA would: decrease the number of OSS projects available to European SMEs; increase the control over OSS initiatives by large corporations; jeopardise the fragile equilibrium that benefits SMEs which contributes to European innovation; and reduce the security of products available to consumers.
Thus, in order to not harm European innovation we urge co-legislators to consider the following:
- Clearly state that if open source software under the governance of a non-profit falls within the scope of the legislation, legal responsibility should only be on commercial entities supplying the software in the course of a commercial activity, and not the governing non-profit which makes the software available free of charge;
- Recognise for open source software that is under the governance of non-profits that are acting as neutral spaces, those non-profits may accept to collaborate with for-profit entities by coordinating the compliance of the software;
- Allow the CE marking and overall compliance managed by commercial entities, to be reusable by the OS community.
With these elements the CRA could achieve one of its objectives to regulate and improve the cybersecurity practices of OSS used in commercial activities without altering the equilibrium of OSS development, research and collaboration, which currently plays to the advantage of European SMEs and innovation.
The undersigned organisations collectively represent a large part of the open source ecosystem in Europe. We offer our collective expertise, and support an increased dialogue towards the CRA’s successful implementation in this new regulatory paradigm.
Download the PDF in English.