OpenInfra Foundation Expresses Concern over Proposed EU Cyber Resilience Act

By Thierry Carrez on 26/05/2023

The Open Infrastructure Foundation, a global non-profit organization facilitating development and promoting the use of open source solutions in infrastructure, joins other leading open source organizations like the Open Source Initiative, Open Forum Europe and the Python Software Foundation in expressing concerns about the proposed EU Cyber Resilience Act (CRA) text.

Used in more than 70% of products with digital elements in Europe, open source software is a key innovation mechanism representing about €100 billion in economic impact in Europe alone. Used to provide infrastructure, it is an essential part of ensuring digital sovereignty for the region. The EU's embrace and leadership on the concept of digital sovereignty compliance has resulted in wide, global adoption of open source software solutions like OpenStack. If this legislation moves forward, it would dramatically upend a burgeoning market of privacy-first open source solutions for both public and private cloud. It is therefore critical to protect it and take into account its specificities (compared to traditional proprietary software) in future legislation.

While the European Commission has tried (through exemptions expressed in recital 10) to protect open source software in the proposed text, it has done so without consulting the wider open source community during the co-legislative process and therefore has used language that is very likely to have the opposite effect.

In particular, the language used is based on a software development model assuming a single company developing the entire code-base behind closed doors and making periodical releases, for which CE marks can be pursued before general commercial availability. The open development process that OpenInfra and other open source projects follow is a model where a global open collaboration between contributors from multiple organizations produces a constant flow of publicly-available intermediary artifacts. This base code can be packaged into a product and sold, but the vendor-neutral production of open source software is by nature disconnected from its later vendor-specific application. Attaching responsibilities and liabilities for publishers, redistributors and contributors to the code is automatically going to have a chilling effect on that successful global model, potentially discouraging contributions from EU developers or the creation of EU-based communities to work on future open source software.

We join the Open Source Initiative in suggesting the European Commission clearly excludes open source community upstream development activities from the scope of this legislation. This would allow the CRA to reach its goals of increasing security and trust in digital products without adversely impacting open source communities and the availability of open source software in Europe. In the future, we encourage the commission to actively seek advice from the various organizations representing open source communities, including the Open Source Initiative, of which the Open Infrastructure Foundation is an affiliate organization.