Image pxhere/public domain
Presented by the European Commission in September 2022, the CRA (Cyber Resilience Act) must impose cybersecurity obligations for digital products and services in the European Union. But this text, which is being examined by the European Parliament and Council, “represents an existential threat to the European free software industry”, says the CNLL (which “represents more than 300 companies whose economic model is based on open source”. ).
“Profoundly dissuasive” against free software
The CNLL and other organizations (including APELL – European Professional Association of Free Software -, the Linux Foundation Europe, the Open Document Foundation, the Eclipse Foundation, the Open Source Initiative, the OW2, the Software Heritage Foundation and organizations from Portugal, Germany and Finland) published this week a joint communiqué and an open letter (PDF) to MEPs and representatives of the Council of the European Union.
The main problems with the CRA, summarizes the CNLL, are:
“If the CRA is implemented in its current wording, it will have a profound chilling effect on the development and use of free software in Europe, which would have the effect of undermining the EU’s innovation objectives. , digital sovereignty and future prosperity.
• The CRA does not take into account the unique needs and perspectives of free software, especially as a modern methodology used to create software.
• The free software community was not sufficiently consulted during the elaboration of the CRA, despite the fact that free software represents more than 70% of the software integrated into digital products in Europe.
• It is essential that in the future, any legislation that impacts the European software industry takes into account the unique needs and perspectives of free software, which plays a critical role in the digital economy, and represents around 100 billion euros of economic impact in Europe.”
The releases sparked a debate in Linuxfr, where netizen Micromy gives this summary of an article from the Python Software Foundation (PSF) (which is not among the co-signers apparently, but which also reacted to the CRA):
“Basically what is criticized is that the current text considers in 2 parts that a software supplier or modifier, natural or legal person, automatically becomes legally responsible or co-responsible for the presence of a security problem.
What the PSF criticizes is that the terms are too general and would in fact encompass a publisher who sells a solution based on free software (with contractual relationship, paid support, guarantee, all that…) and the voluntary suppliers of these free software databases, in particular in the event that an exploited flaw is in this database.
But for PSF, if the lack of clarity persists, there is too great a legal and financial risk that could lead them to no longer offer Python for use in the European Union. And also an imbalance between a seller who can potentially assume this risk while having benefited “for free” from the free resources.
Limit the CRA “by unequivocally excluding free software”
For the CNLL, “the text must imperatively be amended in order in particular to limit its application to products (hardware and software) and finished services, sold within a contractual framework of a commercial nature, unequivocally excluding free software, distributed in the form of code source or binaries, regardless of the entity carrying out the development (individuals, SMEs, start-ups, large groups, etc.), as long as no commercial contractual relationship exists between the author(s) of the software and its users” .
The open letter from FOSS organizations asks:
“Going forward, we urge you to engage with the open source community and consider our concerns when considering the implementation of cyber resilience law. Specifically, going forward, we urge you to:
1. Recognize the unique characteristics1 of open source software and ensure that cyber resilience law does not unintentionally harm the open source ecosystem.
2. Consult the Open Source community during the co-legislative process.
3. Ensure that any development under the CRA takes into account the diversity of open and transparent open source software development practices.
4. Establish a mechanism for continuous dialogue and collaboration between European institutions and the Open Source community, to ensure that future legislation and policy decisions are relevant.”
In addition to this collective reaction, other librist actors warn against the risks of the CRA: the Free Software Foundation Europe (which also points the finger at the AI Act and Product Liability Directive or PLD) and Wikimedia Brussels, Wikimedians (the movement which supports Wikipedia and related projects) working on European legislation.
Read also
The European Commission will force manufacturers of connected objects to beef up their cybersecurity – September 16, 2022
Europe wants to promote digital commons – 23 June 2022
Free and open source software: Apell wants to federate business associations in Europe – February 5, 2020