Open Letter to the European Commission on the Cyber Resilience Act

Monday, April 17, 2023 - 07:56 by Jacob Harris

Dear Members of the European Parliament,

Dear Representatives to the Council of the European Union,

We, the undersigned, represent leading governance institutions within the European and global open source software community. We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act (CRA) to date and wish to ensure this is remedied throughout the co-legislative process by lending our support. 

Open source software (OSS) represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators. The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation. 

As acknowledged in the EU’s Open Source Software Strategy 2020-2023, open source software plays a critical role in the digital economy, powering everything from cloud infrastructure to mobile applications to public transportation systems. In Europe alone, we represent about 100 billion in economic impact. It is therefore essential that any legislation that impacts the software industry takes into account the unique needs and perspectives of open source software, as well as our modern methodologies used to create software.

We deeply share the CRA’s aim to improve the cybersecurity of digital products and services in the EU and embrace the urgent need to protect citizens and economies by improving software security.

However, our voices and expertise should be heard and have an opportunity to inform public authorities' decisions. If the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU’s own expressed goals for innovation, digital sovereignty, and future prosperity.

Moving forward, we urge you to engage with the open source community and take our concerns into account as you consider the implementation of the Cyber Resilience Act. Specifically, moving forward, we urge you to: 

  1. Recognise the unique characteristics of open source software and ensure that the Cyber Resilience Act does not unintentionally harm the open source ecosystem.
  2. Consult with the open source community during the co-legislative process.
  3. Ensure that any development under the CRA takes into account the diversity of open and transparent open source software development practices.
  4. Establish a mechanism for ongoing dialogue and collaboration between the European institutions and the open source community, to ensure that future legislation and policy decisions are informed. 

The undersigned organisations collectively represent the governance of much of the open source software which industry and society rely on. We offer our collective expertise, including envisioning how these professional organisations may support a more inclusive and effective process to inform the CRA today. The same increase in dialog and collaboration will continue to support the CRA’s successful implementation in this new regulatory paradigm. We are prepared to send a representative delegation to meet with the members now. 

We appreciate your attention to this matter and look forward to working with you to ensure that the Cyber Resilience Act reflects the concerns and contributions of the entire software industry, including the open source community.

Co-signed by the Executive Directors, Board Chairs, and Presidents on behalf of their respective organisations: 

Associaçāo de Empresas de Software Open Source Portuguesas (ESOP)

CNLL, the French Open Source Business Association

The Document Foundation (TDF)

Eclipse Foundation

European Open Source Software Business Associations (APELL) 

COSS - Finnish Centre for Open Systems and Solutions 

Linux Foundation Europe 

Open Forum Europe (OFE)

Open Source Business Alliance (OSBA)

Open Source Initiative (OSI)

Open Systems and Solutions (COSS)


Software Heritage Foundation