Blog

Will the European Union Erect Barriers to FOSS?

2023 September 20 - By Max Roveri
Will the European Union Erect Barriers to FOSS?

On September 15, 2022, the European Commission published a draft law called the Cyber Resilience Act (CRA), which aims to improve the security of hardware and software products. The proposal defines “standard metrics” for evaluating the safety of projects. It communicates the security status of each project to users in a simple way. A CRA “approval” would be the equivalent of a “CE” mark on software products.

However, if applied as written, the bill could make authors of free and open source (FOSS) projects legally and financially responsible for how their projects are used within others’ commercial projects. This is a problem since Open Source software is, by definition, distributed “as is,” with no guarantees, thus relieving authors of any liability.

We suggest that the bill needs to distinguish between independent authors in a voluntary capacity and technology giants selling products or services. Under the currently proposed bill, if I develop a logging library and make it Open Source, Company X could use it within its product without giving me anything in return. If a vulnerability is discovered in my library, I would be legally and economically liable for the damages suffered by that company.

An innovation versus security conundrum?

More generally, the idea behind free software and open licenses is to make software accessible, freely modifiable, and redistributable. Suppose a for-profit company adopts open source software to perform its functions or services. In that case, it should be the company’s responsibility to secure that software and, depending on the license, redistribute it or not with its own improvements.

The proposed law could be a strong disincentive for both authors and contributors to open source projects. Specifically, Article 16 of the proposed law states that “one who applies substantial changes” to a project is considered equal to the author in terms of liability. However, the meaning of the phrase “substantial changes” is unclear, which makes the proposed law even more problematic.

The risk is that the proposed CRA law could block innovation in the field of open source software and damage the economy of the entire country. Therefore, it is essential to raise awareness among the public and relevant authorities about the possible adverse effects of the proposed CRA law and to try to find solutions that protect both authors and users of open source software.

The Cyber Resilience Act (CRA) today

Since September 2022 the European FOSS community has been monitoring debate around this topic, while the European Parliament and the European Commission worked on the CRA draft.

On July 19, 2023, the draft regulation presented by the European Commission was approved with amendments by the European Council (chaired by Spain) and, in parallel, by the European Parliament. The adoption of these two proposals allows the start of inter-institutional negotiations between the Council and the European Parliament (the so-called trialogue) for the adoption of the final text. The trialogue is expected to take place in September, and the regulation’s final adoption could occur shortly afterward.

LPI and the Cyber Resilience Act (CRA)

Linux Professional Institute (LPI) will host an online roundtable discussion on the Cyber Resilience Act (CRA) on October 3rd. This roundtable discussion will provide an opportunity to raise awareness of the potential risks of the CRA and to discuss possible solutions.

The LPI CRA round table: Be there!

About Max Roveri:

Massimiliano "Max" Roveri is a writer, blogger, editor and social media manager. He started writing on the internet in the late '90s and he went back to the digital media in 2009. Since 2014 he lives in Ireland and, since 2015, he has been part of the LPI Italy team. He is professionally involved in cultural mediation projects, with an event management side, and in education projects as a professional and as a volunteer as well.  With a background in humanities and philosophy, he loves to address the ethical and social aspects of Open Source, with an approach that nods to Gregory Bateson and Robert M. Pirsig. Photo: uphostudio

Leave a Reply

Your email address will not be published. Required fields are marked *

Linux Professional Institute is a non profit organization.

Linux Professional Institute (LPI) is the global certification standard and career support organization for open source professionals. With more than 200,000 certification holders, it’s the world’s first and largest vendor-neutral Linux and open source certification body. LPI has certified professionals in over 180 countries, delivers exams in multiple languages, and has hundreds of training partners.

Our mission is to promote the use of open source by supporting the people who work with it.

In case of a content discrepancy between English and the translation, the English version is canonical.
Spot a mistake or want to help improve this translation? Please let us know.

© Copyright 1999-2024 Linux Professional Institute Inc. All rights reserved.
Linux is a registered trademark of Linus Torvalds. Linux Professional Institute and corresponding “L” logo are registered trademarks.