The Cyber Resilience Act (CRA) is a European regulatory initiative to oblige manufacturers, distributors and importers of products with digital components to higher security standards for their products or services. The Open Source Business Alliance explicitly supports the goals of the Cyber Resilience Act to increase the quality and security standards of IT products. The member companies of the association have a strong interest in offering and distributing secure software and see commercial software providers as having a responsibility in this regard. However, some currently still fuzzy formulations in the current drafts pose a considerable threat to the European open source ecosystem and thus to the ability of the entire European IT sector to innovate and create value. The German government must therefore work to ensure that the open source ecosystem is adequately protected in the upcoming trilogue negotiations.
The difficult demarcation of „commercial open source software“ in the CRA
The CRA appears to be written primarily with proprietary software in mind. Therefore, the requirements to be met are also formulated with regard to the development and distribution models of proprietary software. However, the development and distribution models of open source software differ in part considerably from the development and distribution models of proprietary software due to the open and cooperative approach and the freedoms granted by the software licenses concerned.
The CRA seeks an exemption for open source software, provided that it is not used for commercial activities. However, the problem lies in the concrete definition of „commercial“. Here, a clear demarcation is difficult and there is too much gray area with room for interpretation and thus legal uncertainty. Open source solutions are sometimes jointly developed and maintained in the context of a purely commercial activity (by paid employees of a company with a commercial interest), in the context of science and teaching, by public administration and sometimes also by volunteers in their free time, without their own commercial interest. This interweaving of volunteer and commercial actors and organizations is what makes up the open source ecosystem. While commercial open source software providers should clearly fall within the scope of the CRA in the view of the OSB Alliance, the exemption for non-commercial open source producers still needs to be improved.
Danger of overregulation
The CRA currently takes insufficient account of the special development and distribution models of open source, which means that regulations under the CRA are difficult to apply to open source software in many cases, or result in unintended overregulation. With the current state of the CRA, there is a risk that too many volunteer open source initiatives, research and education projects, or individuals will be held liable who are not actually part of the CRA’s intended target group. The statement therefore makes concrete suggestions on how to better frame the open source exception.
Risk of legal uncertainty
The room for interpretation and the legal uncertainty caused by the unclearly formulated open source exception mean that smaller open source projects, which usually do not have professional legal counsel at their disposal, cannot be sure whether the open source exception applies to them or not. Out of caution, companies and initiatives would possibly withdraw from the European market, There is a risk of a chilling effect resulting from the CRA and thus a great deal of damage to the entire open source ecosystem. Since countless digital products and solutions are built on open source components, a negative domino effect for the entire software industry can be assumed.
Threat of damage to economy and digital sovereignty
This would also slow down SMEs and start-ups in particular and would have significant negative effects on competition and the speed of innovation. Since open source software also plays a central role in science, the legal uncertainty or overregulation caused by the CRA would also have negative consequences for research and teaching as well as the transfer of innovation from science to industry. Open source foundations, which do central (non-profit) work for many open source projects, would also be threatened by the CRA. The German government relies heavily on open source software with numerous measures to strengthen digital sovereignty. These strategic policy goals are also at risk if the domino effect outlined above were to occur in the open source ecosystem. With regard to open source software, the CRA would thus miss its target and achieve the opposite of what it was conceived for. Instead of more secure open source software, we would have less and, above all, less secure open source software.
Demand to the Federal Government
After the lead committee in the European Parliament (ITRE) and the Council of the European Union have finalized their positions in mid-July 2023, the final trilogue negotiations on the CRA are expected to begin in September 2023. In the upcoming trilogue negotiations, the German government must work to ensure that the open source ecosystem and thus important parts of the German and European IT economy as well as Germany’s digital sovereignty are adequately protected in the CRA. For this, an exchange with representatives of the open source industry is essential. The Open Source Business Alliance offers its expertise in the run-up to the trilogue negotiations and is always available for an exchange as well as consultations.
Peter Ganten, Chairman of the OSB Alliance:
„The security of IT products urgently needs to be increased in many areas. Achieving this is the central goal of the Cyber Resilience Act, which the OSB Alliance expressly supports. However, the drafts now up for negotiation run the risk of throwing out the baby with the bathwater. This is because the open source ecosystem would suffer considerable damage as a result, which would take away the basis for innovation and competitiveness of the entire European IT industry.“
