Several open-source software organizations in Europe have expressed their concerns about the proposed Cyber Resilience Act (CRA) in a letter to the members of the European Parliament and the representatives of the Council of the European Union.
"Chilling Effect"
The letter addressed the open-source community's lack of representation during the CRA's development. It emphasized the critical role that open-source software plays in the digital economy, powering everything from cloud infrastructure to mobile applications to public transportation systems.
The letter also stated that the software and technical artifacts produced by the open-source community are unprecedented in their contribution to the technology industry, along with digital sovereignty and associated economic benefits on many levels.
The community expressed their backing for enhancing cybersecurity in digital products and services in the EU and acknowledged the importance of enhancing software security to safeguard citizens and economies.
However, they are about the Cyber Resilience Act's present form, stating that it could impede open-source software development as a worldwide undertaking and potentially undermine the EU's objectives for innovation, digital sovereignty, and future prosperity.
"If the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global endeavor, with the net effect of undermining the EU's own expressed goals for innovation, digital sovereignty, and future prosperity," the letter reads.
All About the CRA
The draft of the Cyber Resilience Act was introduced in September 2022, aiming to establish cybersecurity best practices for internet-connected products sold within the EU, according to TechCrunch.
The legislation is intended to pressure hardware and software manufacturers to comply with the regulations. Non-compliance may result in fines of up to €15M or 2.5% of the company's global turnover.
Despite being in the early stages of development, the Cyber Resilience Act has raised concerns among the open-source community.
Open source components make up between 70-90% of modern software products, including web browsers and servers. However, according to TechCrunch, many of these projects are created by individuals or small groups in their free time.
The open-source community requests the European Parliament and Council members to avoid unintentionally harming their ecosystem.
They urge members to consult with open-source communities, recognize diverse development practices, and establish ongoing dialogue for collaboration.
Proposed regulations in Europe, including the Cyber Resilience Act and the upcoming AI Act, are causing concerns in the tech industry. GitHub CEO has suggested that open-source software developers be exempt from the AI Act.
The open-source community is also worried about the CRA, stating that their voices are not being heard,
The executive directors, Board Chairs, and presidents co-signed the letter on behalf of their respective organizations, including the European Open Source Software Business Associations (APELL), the Open Source Initiative (OSI), and the Software Heritage Foundation, among others.