Cyber Resi­li­ence Act: open source in danger?

The respon­se to the EU Commission’s pro­po­sal for a Cyber Resi­li­ence Act (CRA) has been over­whel­mingly posi­ti­ve so far. But now, more and more peo­p­le in the open source com­mu­ni­ty are begin­ning to see the pro­po­sed Regu­la­ti­on as a risk to the deve­lo­p­ment and use of open source soft­ware (OSS). Are the­se con­cerns jus­ti­fied? Will the open source pro­jects even be able to meet the pro­po­sed requi­re­ments? See this artic­le for answers.

Duties in accordance with the Cyber Resi­li­ence Act

In order to impro­ve cyber­se­cu­ri­ty for pro­ducts with digi­tal ele­ments, the CRA pro­vi­des not only for an assess­ment of cyber­se­cu­ri­ty risks, but in par­ti­cu­lar, for a lon­ger sur­veil­lan­ce peri­od for pro­ducts. Manu­fac­tu­r­ers are requi­red not only to actively moni­tor their pro­ducts and report vul­nerabi­li­ties, but to pro­vi­de secu­ri­ty updates as well. While this is very bene­fi­ci­al for users, it will mean a high orga­niza­tio­nal expen­se and added cos­ts for manu­fac­tu­r­ers, importers and dis­tri­bu­tors. Par­ti­cu­lar­ly for non-commercial open source pro­jects, the requi­re­ments hard­ly seem feasible.

Does the Cyber Resi­li­ence Act app­ly to open source?

The EU Com­mis­si­on has reco­gni­zed that the requi­re­ments in the pro­po­sed CRA are hard­ly mana­geable, par­ti­cu­lar­ly for non-commercial open source pro­jects. Accor­din­gly, it has exempt­ed OSS in Reci­tal 10 to the pro­po­sed Regu­la­ti­on so as not to ham­per inno­va­ti­on and rese­arch. The CRA will not app­ly to free and open-source soft­ware which is deve­lo­ped or sup­pli­ed out­side the cour­se of a com­mer­cial acti­vi­ty. This par­ti­cu­lar­ly appli­es for “soft­ware, inclu­ding its source code and modi­fied ver­si­ons, that is open­ly shared and free­ly acces­si­ble, usable, modi­fia­ble and redis­tri­bu­ta­ble.” In other words, the EU Com­mis­si­on has sta­ted cle­ar­ly and expli­cit­ly that the CRA will have no impact on non-commercial open source pro­jects. Howe­ver, sin­ce the Reci­tals to a Regu­la­ti­on are not legal­ly bin­ding and sin­ce con­sidera­ble uncer­tain­ty exists in the open source com­mu­ni­ty, an express exclu­si­on in the CRA its­elf would be desirable.

CRA ful­ly appli­ca­ble for com­mer­cial use

Only the non-commercial deve­lo­p­ment and sup­p­ly of OSS are excluded from the scope of the CRA. But if OSS is deve­lo­ped or sup­pli­ed in the cour­se of a com­mer­cial acti­vi­ty, all duties under the CRA would app­ly to the software’s manu­fac­tu­rer. The EU Com­mis­si­on defi­nes the term “com­mer­cial acti­vi­ty” broad­ly. Under this defi­ni­ti­on, com­mer­cial use exists not only if a pri­ce is char­ged for the soft­ware, but e.g. in the fol­lo­wing cases as well:

  • pro­vi­si­on of tech­ni­cal sup­port ser­vices for a fee;
  • pro­vi­si­on of a soft­ware plat­form through which other ser­vices are monetized;
  • pro­ces­sing per­so­nal data for pur­po­ses other than impro­ving the software’s secu­ri­ty, com­pa­ti­bi­li­ty or interoperability.

In other words, the pro­po­sed CRA will app­ly not only in cases whe­re OSS forms part of a digi­tal pro­duct which is dis­tri­bu­ted com­mer­ci­al­ly, but also in cases whe­re OSS is inte­gra­ted into the busi­ness model in some way. It fol­lows that com­pa­nies which deve­lop or sup­p­ly OSS on a com­mer­cial basis will have to sup­port the open source pro­jects behind their soft­ware in such a way as to meet the CRA’s requi­re­ments. Accor­din­gly, com­pa­nies would have to pro­vi­de even grea­ter sup­port in the future for open source pro­jects in their soft­ware sup­p­ly chain.


The pre­sent dis­cus­sions about the CRA’s impact on open source pro­jects are under­stan­da­ble in light of the ina­de­qua­te tre­at­ment of this sub­ject in the Regu­la­ti­on. In cases whe­re OSS is used com­mer­ci­al­ly, the CRA can be view­ed as an oppor­tu­ni­ty for the deve­lo­p­ment and pro­mo­ti­on of cyber­se­cu­ri­ty in open source pro­jects. It will be exci­ting to see whe­ther the EU Com­mis­si­on, the Coun­cil and the Euro­pean Par­lia­ment will fur­ther spe­ci­fy the CRA’s pro­vi­si­ons rela­ting to open source soft­ware in the cour­se of the tri­lo­gue nego­tia­ti­ons. But is evi­dent even now that open source com­pli­ance and cyber­se­cu­ri­ty by design will be more important than ever .


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.