The Linux Foundation Europe says a rewrite of the EU Cyber Resiliency Act, means the legislation is “not as threatening” but still has implications for open source governance.
And while the organization said the act now uses a “reasonable definition of open source,” there is still much work to be done on standards developments and thrashing out the details of the controversial legislation.
The CRA was unveiled in late 2022, with the aim of shoring up cybersecurity and boosting protections for consumers across the EU. It covers any product with a digital element, including IoT devices.
But early texts sent shockwaves through the open source community, with open source leaders warning that it loaded liability for security onto upstream developers and foundations. Linux Foundation Europe chief Gabriele Columbro warned the Open Source Summit in September that there was a real possibility that “to prevent liability, open source projects could be blocked for download into the EU or be published with a disclaimer.”
But a revised text, unveiled this month following the trilogue process between the European Parliament, Council, and Commission, has allayed the foundation’s worst fears.
Mirko Boehm, senior director, community development at Linux Foundation Europe, told The Stack the revised text contains a number of improvements over the original text.
"Still uncertainties..."
But he added, “There are still uncertainties and there will be implications for the governance of open source communities. However, the CRA now is not as threatening to the open source community as it once was.
The text “separates development from distribution and draws much clearer lines regarding what is considered commercial activity. Nonprofits are mostly excluded from CRA obligations.”
The CRA includes a novel operator role of "open source software steward", Boehm said. This means it will be the first law that “explicitly differentiates between commercial manufacturers and nonprofits that feel responsible for concrete open source releases. “
Stewards should be subject to a light-touch regulatory regime, he continued, “Which is not yet clearly defined, but sounds reassuring.”
Now, he said, the focus needed to be on upcoming standards development which will clarify and detail the implications of the CRA. But he warned, “The process will very likely be hosted by one of the SDOs (standardization development organizations) recognized by the EU. They don't have a track record of working well with open source foundations. We will strive to be actively involved.”
While Boehm was relatively sanguine about the implications of the revised CRA, other organizations have been less so.
OpenUK CEO Amanda Brock said earlier this month that the revised CRA’s definition of open source did not align with “the accepted definition of open source software and the long established free software definition” or indeed definitions the commission itself had used in the past.
But she noted that the act would still have to undergo a “review by lawyer linguists” and “It may be that the open source communities find it worthwhile to have a final push in the campaign against the CRA to encourage the Commission to use a corrected and established definition.”