Image: Pixabay/CC0
For several months now, free and open source software professionals and organizations have been warning about the devastating effects that the European Union’s proposed regulation called the Cyber Resilience Act would have on this software. Wednesday, July 19, if nothing changes, it is a text with “particularly serious consequences for small and medium-sized enterprises operating in the field of free software” which risks being adopted by a vote within the Industry, Research and Energy (ITRE) of the European Parliament. And that without a vote in plenary session, dreads the CNLL (which indicates that it represents “more than 300 companies in the free software and open digital sector in France”).
A high additional cost for SMEs
CNLL alarms (excerpts):
– “The CRA will impose very onerous administrative and technical requirements on organizations that distribute products or services that are software or contain software. This includes developing, documenting and implementing policies and procedures for each project, preparing technical documentation for each product release and following a complex CE marking process. The Commission’s impact study estimates the increase in development costs for SMEs at 30%, which is well above the margins usually observed in the sector. In the event of non-compliance with these obligations, SMEs are liable to a fine of 15 million euros.”
The CNLL points out that “all free software licenses currently in use include a disclaimer: it is indeed logical that an individual, a company, small or large, a foundation, a research institute, etc. do not want to be held responsible (when there is no deliberate will to harm) when he or she offers, free of charge, the fruit of his or her labor as a common good to the rest of humanity. At the same time, the free software publishers did not wait for the CRA to offer their customers contracts in which they undertake to ensure the maintenance of their free software, for remuneration, which covers the maintenance costs but also the of R&D necessary for the creation and evolution of this software.”
– According to the current draft text, “any free software project that includes employees of a company among its contributors is considered a commercial activity. This expanded definition encompasses almost all significant free software projects, with potentially devastating consequences. Not only would this encourage projects, some of which are known to have difficulty in ensuring their financial sustainability, to refuse contributions from companies using their software, but it could also lead companies to ban their employees from participating in development projects. free software. It would also encourage companies in the free software industry to stop releasing their components as open source, to make their development practices less transparent, and to refrain from contributing to free software projects when these do not fit into the exceptions, very restrictive, provided for by the text.
Furthermore, the text of the ITRE committee states that any free software project accepting recurring donations from commercial entities is considered a commercial activity. This represents a major risk for the sustainability of free software projects that serve as the building blocks for the products that free software SMEs bring to market.”
A major sector for Europe
– The CNLL recalls that “the free software sector, beyond the SMEs that mainly compose it, is a major economic sector for Europe. It contributes €65-95 billion per year to the EU economy, according to the Commission’s 2021 study, and is at the heart of research and development in many advanced technological areas, including included in the Horizon Europe R&D program.
The impact of the CRA on this sector is therefore likely to have consequences far beyond the companies directly concerned.
Finally, the CNLL calls for consultation in the future with the actors of the open source ecosystem, in particular with the APELL (European Professional Association of Free Software), which federates the national associations of free software companies in Europe.
Alongside this alert (and previous ones by other French organizations, such as April, or European organizations, such as the Free Software Foundation Europe – or FSFE), other players have expressed their concern about the CRA as it presents itself, like GitHub. Last week, its developer policy manager Mike Linksvayer published a blog post, pointing out the same problematic aspects of the text.
Read also
MEPs want to protect free software in the AI regulation – May 15, 2023
The Cyber Resilience Act, a European project that worries free software players – April 23, 2023
The European Commission will force manufacturers of connected objects to beef up their cybersecurity – September 16, 2022