CNLL warns of the dangers of the Cyber Resilience Act for the open source software sector in Europe

# CNLL warns of the dangers of the Cyber Resilience Act for the open source software sector in Europe Is Europe going to throw out the open source baby with the cyber-security bathwater? Paris, 17 July 2023 - The Conseil National du Logiciel Libre (CNLL), which represents more than 300 companies in the free software and open digital sector in France, expresses its deep concern about the European Union's draft regulation entitled "[Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act)" (CRA). The laudable aim of the CRA is to improve the cybersecurity of digital products in Europe. However, it is a "buggy" text that will be the subject of a crucial vote on 19 July in the European Parliament's ITRE committee, and could be adopted in the process, without a vote in plenary session, by the Parliament itself. If nothing changes between now and its final adoption, it will have particularly serious consequences for small and medium-sized enterprises (SMEs) operating in the field of free software, and more generally for the free software sector, an essential component of Europe's digital economy. **What are the main problems posed by the ITRE Committee's text for the European free software industry?** The CRA will impose very costly administrative and technical requirements on organisations that distribute software products or services or those containing software. In particular, they will have to develop, document and implement policies and procedures for each project, prepare technical documentation for each product version and follow a complex CE marking process. The Commission's impact study estimates a 30% increase in development costs for SMEs, which is well above the margins usually seen in the sector. In the event of non-compliance with these obligations, SMEs are liable to a fine of €15 million. Free software is, by definition, software distributed under a free software licence (or open source, which is essentially the same thing). All free software licences currently in use include a disclaimer: it is indeed logical that an individual, a company, large or small, a foundation, a research institute, etc. should not wish to be held liable (where there is no deliberate intention to cause harm) when he or she offers, free of charge, the fruit of his or her labour as a common good to the rest of humanity. At the same time, open-source software publishers have not waited for the CRA to offer their customers contracts under which they undertake to maintain their open-source software in return for remuneration, which covers not only maintenance costs but also the R&D costs required to create and develop this software. In the Commission's original text, the CRA includes an exemption for "non-commercial activities", the ambiguity and risks of which were highlighted by representatives of the open source ecosystem as soon as the initial draft text was published. According to the ITRE committee's current draft text, any open source software project whose contributors include employees of a company is considered to be a commercial activity. This broad definition encompasses almost all significant open source software projects, with potentially devastating consequences. Not only would it encourage projects, some of which are known to have [difficulties ensuring their financial sustainability](https://www.swforum.eu/events/open-source-workshops-computing-sustainability), to refuse contributions from companies that use their software, but it could also lead companies to prohibit their employees from participating in free software projects. This would also encourage companies in the free software sector to stop publishing their components in open source, to make their development practices less transparent, and to give up contributing to free software projects when these do not fall within the very restrictive exceptions set out in the text. Furthermore, the ITRE Committee's text states that any free software project that accepts recurring donations from commercial entities is considered to be a commercial activity. This represents a major risk for the sustainability of free software projects that serve as building blocks for the products that free software SMEs put on the market. Indeed, the financial sustainability of these open source projects is a challenge that has been raised many times and is widely recognised. Regular donations from commercial entities are often an essential source of funding that enables projects to continue their work. However, if the CRA is adopted as it stands, these projects will be encouraged to refuse donations, and thus see their resources limited strictly to voluntary work, which runs counter to the stated aim of improving their financial sustainability. The negative impact will spread downstream from all these projects, with the systemic consequence of weakening the overall security of products marketed in Europe, in addition to disrupting the software supply chain of European software publishers. Finally, it should be noted that the open source software sector, beyond the SMEs that make it up, is a major economic sector for Europe. It contributes between €65 billion and €95 billion a year to the EU economy, according to [the Commission's 2021 study](https://digital-strategy.ec.europa.eu/fr/news/commission-publishes-study-impact-open-source-european-economy), and is at the heart of research and development in many advanced technological fields, including the [Horizon Europe R&D programme](https://research-and-innovation.ec.europa.eu/funding/funding-opportunities/funding-programmes-and-open-calls/horizon-europe_en). The impact of the CRA on this sector is therefore likely to have consequences far beyond the companies directly concerned. The CNLL therefore calls on European legislators to take these issues into account, and to revise the CRA in such a way as to protect the free software industry, and in particular the SMEs that are its bedrock, without compromising the objective of strengthening cybersecurity. In the future, this type of regulation will have to be drawn up in close consultation with the players in the open source ecosystem, including European companies that develop open source software and those that integrate open source components into their products, which are best placed to understand and explain the specific features and challenges of their sector. [APELL](https://www.apell.info/) (Association Professionnelle Européenne du Logiciel Libre), which federates the national associations of open source businesses in Europe, must be a privileged interlocutor with the European institutions on these issues, just as the CNLL must be with the French government. We are also calling for the creation within the Commission of an *external* OSPO (_Open Source Programme Office_), focused on the development of the open source software sector in Europe, which should work in close collaboration with [OSOR](https://joinup.ec.europa.eu/collection/open-source-observatory-osor), the Commission's *internal* OSPO, and contribute its expertise to future legislative initiatives concerning open source software. Finally, we must collectively promote a better understanding, within our institutions, of the challenges of open digital technology and the complex technological and economic dynamics that characterise the free software ecosystem. This will require more training for political decision-makers on these issues, but also greater consideration of internal and external technological expertise in the decision-making process. ### Annex: Chronology of events - Sept. 2022: The Commission publishes its [proposal for a directive](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act). The free software ecosystem was not consulted beforehand. - Oct.-Nov. 2022: Several organisations note and report on the ambiguities of the initial text, including [the Internet Society](https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/) and [NLNet Labs](https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/). - Dec. 2022: The Commission organises a series of workshops in Brussels: "[Open Source workshops for computing and sustainability](https://www.swforum.eu/events/open-source-workshops-computing-sustainability)", to which numerous experts and representatives of the European free software sector are invited. The CRA is not on the agenda. The officials responsible for the CRA within the Commission are not involved in these workshops. - Jan-Feb 2023: APELL obtains a meeting with the Commission to discuss the development of the industry and the potential threat posed by the CRA. This meeting is postponed twice, the second _sine die_. - April 2023: - An [open letter](https://cnll.fr/news/cyber-resilience-act-union-europ%C3%A9enne-menace-logiciel-libre/), co-signed by numerous organisations representing the European free software ecosystem, is sent to MEPs, Council members and Commission representatives. - APELL requests a meeting with Thierry Breton. No response. - May 2023: - APELL requests a meeting with the officials responsible for the CRA within the Commission (H2 unit). No response. - The Commission organises a webinar to "explain the CRA to SMEs". The subject of open source software, raised by participants, is deemed inappropriate by Commission representatives, who nevertheless promise that there is nothing to worry about. - June 2023: The IMCO committee votes on amendments to clarify the original text in a way that preserves the free software ecosystem. Unfortunately, these amendments are not admissible because they fall outside the IMCO committee's remit. - July 2023: The ITRE committee prepares to vote on its amendments. The text leaks out, sending the free software ecosystem into a tailspin. - End of July 2023: The Council is likely to adopt its position. - Sept. 2023: Start of the trialogue between the Commission, Parliament and Council. - Early 2024: The text will probably be adopted definitively. **About the CNLL** The CNLL, Union des Entreprises du Logiciel Libre et du Numérique Ouvert, is the representative body of the free software sector in France. Created from the grouping of 8 regional clusters, it represents over 300 "pure player" companies (specialising or with significant activity in free software and open source): publishers, integrators, consultancies, etc. It promotes the professional free software ecosystem, its range of software and services, its specific strengths, and its needs, particularly in terms of employment and training. It enables the community of players in the sector to exchange ideas and work together to develop the market, while respecting shared values. Visit: [http://www.cnll.fr/](https://cnll.fr/)