Image pxhere / public domain
For months, alerts have been coming one after the other regarding the Cyber Resilience Act in preparation: presented by the European Commission in 2022, it must impose cybersecurity obligations for digital products and services in the European Union. But it risks causing more than collateral damage to free software.
“Apply to the right place in the free software value chain”
Interviewed in July by the webTV “La Bourse et la Vie”, MP (MoDem) Philippe Latombe – author in 2021 of the “Digital Sovereignty” report – responded to financial journalist Didier Testot (transcription in Libre à lire):
“That [le CRA] has side effects, on the other hand, for free software and I discuss it a lot with French free software companies. We will see how we can ensure that the CRA applies, but applies to the right place in the free software value chain, that is to say not necessarily to intellectual creation, therefore where the contributors make code, but rather, if ever there are editors, it would rather be the editors who would be subject to the CRA. This would be much more logical and would make it possible to preserve the free software sector and its wealth because, without free software, we will have a loss of sovereignty.
I am firmly convinced that sovereignty is linked to free software, to the capacity for innovation, to this ability of several people to come together to discuss the same subject in order to be able to make the best possible code. Free software is a source of sovereignty because it also allows us to find alternatives to software from publishers who would be in the majority and if we no longer have it, it would allow companies to continue to operate. We will look with businesses, we will look with the government which is open on the subject, how we can influence the CRA to make it as effective as possible.”
“In Europe, they are mainly employees”, not volunteers
On August 29, in the “Smart Tech” show of the B-Smart podcast, journalist Delphine Sabattier received Jean-Paul Smets, CEO of RapidSpace (transcription in Libre à lire – heart on this April group, once again more, for this super-useful work!), as well as two digital business managers. Jean-Paul Smets emphasizes that for connected objects, whose software is often not updated, the CRA will be very useful, but he returns to the impact for open source:
“They [la Commission européenne] have a sort of blue-chip idea in saying that free software is necessarily communities of volunteers. In fact, in Europe, free software is mainly employees in SMEs and sometimes in research institutes. The Commission’s text made an exception to the 15 million euro fine for volunteer communities. But all enterprise software has, at one time or another, a contributing employee, and in some versions of the text having an employee makes the software qualify as commercial free software, so that means virtually all free software will be subject to CRA risks.”
“By implementing this developer/payer idea, the problem is that we impose the same constraints on a company like Microsoft, a software publishing giant, and on an SME like Stéphane’s Signal18 Varoqui, while they do not have at all the same means. We will therefore simply filter the offer by ensuring that the large publishers, who have the means to create a team dedicated to regulation, will do so and small ones will not be able to take charge of the responsibility imposed on them.”
The entire show can be listened to (or read), the two other speakers, Stéphane Varoqui, CEO of Signal18 and formerly of MariaDB, and Arthur Heymans, project manager at 9elements, precisely illustrating their operation and the consequences of unbridled accountability of developers.
“We don’t necessarily receive compensation from the people who distribute them”
So Stéphane Varoqui:
“Open source has become very popular, few large companies do not use open source products and, as a result, they have gotten into the habit of not paying. We are really, open source, the variable Now open source products are sold in the cloud and we, the developers, do not necessarily receive compensation from the people who distribute them. For example, when Google distributes a product in SaaS as a Software mode, such as MariaDB … We don’t get any rights to it, we don’t get any money. We’re the ones who take care of the development and they’re the ones who benefit financially because they rent their equipment with the product that’s running. the only way for open source publishers to get out of this is to go to the cloud, to become a cloud, a competitive cloud, which is what MariaDB did when I left it.”
Last but not leastthe CNLL (representing more than 200 open source companies), which has already alerted several times, published on September 7 “France must protect its free software sector from the side effects of the Cyber Resilience Act (CRA) “, which summarizes his detailed study published the day before.
In the latter, the organization writes:
“The CNLL is deeply concerned about the risks, set out below, that a final drafting of the CRA would be inappropriate with regard to the reality of the economic and development models of the open source sector, and asks the French government to influence the negotiations in order to protect its national free software sector, which represents nearly 6 billion euros in annual turnover and 64,000 direct jobs in 2023.
Free and open source organizations in Europe are united in these warnings. The CNLL specifies:
“This position paper on the CRA was developed by the CNLL on the basis of our discussions with many organizations in the open source ecosystem, and in particular our European partners gathered within the APELL (European Professional Association of Free Software ) which represents the European free software sector in Brussels. We have used the document Stellungnahme zum Cyber Resilience Act of the OSBA, our German counterpart, as a starting point for this text.”
Read also
Cyber Resilience Act: the CNLL sounds the alarm for free software – July 17, 2023
MEPs want to protect free software in AI regulation – May 15, 2023
The Cyber Resilience Act, a European project that worries free software players – April 23, 2023
Free and open source software: Apell wants to federate business associations in Europe – February 5, 2020