The response to the EU Commission’s proposal for a Cyber Resilience Act (CRA) has been overwhelmingly positive so far. But now, more and more people in the open source community are beginning to see the proposed Regulation as a risk to the development and use of open source software (OSS). Are these concerns justified? Will the open source projects even be able to meet the proposed requirements? See this article for answers.
Duties in accordance with the Cyber Resilience Act
In order to improve cybersecurity for products with digital elements, the CRA provides not only for an assessment of cybersecurity risks, but in particular, for a longer surveillance period for products. Manufacturers are required not only to actively monitor their products and report vulnerabilities, but to provide security updates as well. While this is very beneficial for users, it will mean a high organizational expense and added costs for manufacturers, importers and distributors. Particularly for non-commercial open source projects, the requirements hardly seem feasible.
Does the Cyber Resilience Act apply to open source?
The EU Commission has recognized that the requirements in the proposed CRA are hardly manageable, particularly for non-commercial open source projects. Accordingly, it has exempted OSS in Recital 10 to the proposed Regulation so as not to hamper innovation and research. The CRA will not apply to free and open-source software which is developed or supplied outside the course of a commercial activity. This particularly applies for “software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable.” In other words, the EU Commission has stated clearly and explicitly that the CRA will have no impact on non-commercial open source projects. However, since the Recitals to a Regulation are not legally binding and since considerable uncertainty exists in the open source community, an express exclusion in the CRA itself would be desirable.
CRA fully applicable for commercial use
Only the non-commercial development and supply of OSS are excluded from the scope of the CRA. But if OSS is developed or supplied in the course of a commercial activity, all duties under the CRA would apply to the software’s manufacturer. The EU Commission defines the term “commercial activity” broadly. Under this definition, commercial use exists not only if a price is charged for the software, but e.g. in the following cases as well:
- provision of technical support services for a fee;
- provision of a software platform through which other services are monetized;
- processing personal data for purposes other than improving the software’s security, compatibility or interoperability.
In other words, the proposed CRA will apply not only in cases where OSS forms part of a digital product which is distributed commercially, but also in cases where OSS is integrated into the business model in some way. It follows that companies which develop or supply OSS on a commercial basis will have to support the open source projects behind their software in such a way as to meet the CRA’s requirements. Accordingly, companies would have to provide even greater support in the future for open source projects in their software supply chain.
Conclusion
The present discussions about the CRA’s impact on open source projects are understandable in light of the inadequate treatment of this subject in the Regulation. In cases where OSS is used commercially, the CRA can be viewed as an opportunity for the development and promotion of cybersecurity in open source projects. It will be exciting to see whether the EU Commission, the Council and the European Parliament will further specify the CRA’s provisions relating to open source software in the course of the trilogue negotiations. But is evident even now that open source compliance and cybersecurity by design will be more important than ever .
back