What is the Cyber Resilience Act and why it’s dangerous for Open Source

The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs).

OSI has submitted the following information to the European Commission’s request for input on its proposed Cyber Resilience Act text.

We recognise that the European Commission has framed an exception in recital 10 attempting to ensure these provisions do not accidentally impact Open Source software. However, drawing on more than two decades of experience, we at the Open Source Initiative can clearly see that the current text will cause extensive problems for Open Source software. The problems arise from ambiguities in the wording and a framing which does not match the way Open Source communities actually function and their participants are motivated.

First, for those distributing software as a community function to confidently rely on the exclusion, this absolutely must be inserted as an article and the “should” must be changed to “shall”.

Second, since the goal is—or should be—to avoid harming Open Source software, which the European Commission is working hard to support, this goal should be stated at the start of the paragraph as the rationale, replacing the introductory wording about avoiding harm to “research and innovation” to avoid over-narrowing the exception.

Thirdly, the reference to “non-commercial” as a qualifier should be substituted. The term “commercial” has always led to legal uncertainty for software and is a term which should not be applied in the context of open source as specific commercial uses of open source projects by some users are frequently disconnected from the motivations and potential compensation of the wider community of maintainers. The software itself is thus independent of its later commercial application.The problem is not the lack of a taxonomy of “commercial”, it is the very act of making “commercial” the qualification rather than, for example, “deployment for trade”. Thus adding a taxonomy of commerciality is not a solution. OSI would be pleased to collaborate over better approaches to qualifying an exception.

To illustrate the concern our community feels, we wish to highlight an analysis by OSI affiliate Eclipse Foundation, based in Brussels. While they note that, with staff and financial resources, they are “in a better position than most” to deal with such requirements, they conclude that “we fear that the obligations set forth by the legislation will cripple the Eclipse Foundation and its community.”

OSI’s recommendation

The Open Source Initiative assumes the Act is not intended to negatively impact the communities that make Open Source software or burden the non-profit foundations that support them.

Therefore OSI recommends further work on the Open Source exception to the requirements within the body of the Act to exclude all activities prior to commercial deployment of the software and to clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment. Leaving the text as it is could chill or even prevent availability of globally-maintained open source software in Europe. We also support the more detailed analysis we have co-signed with Open Forum Europe.

123 responses to “What is the Cyber Resilience Act and why it’s dangerous for Open Source

  1. @osi My understanding of the Open Source Definition (https://opensource.org/osd) was that you couldn’t enforce non-commercial and still call it Open Source – as this would be “placing restrictions on other software.”I’ve personally opted for Source-Available licensing because I wanted to ensure that any products derived from my own were also accessible at no-financial-cost.Is my understanding of Open Source correct in this way?
    The Open Source Definition | Open Source Initiative

  2. @osi One of the goals of CRA is to avoid OpenSSL, Log4j type of incidents. However, they’re non-commercial open-source software, and we’re not addressing those cases when we exclude OSS from CRA.Would it be better to focus on SBOMs? First, build the software inventory and then develop a strategy?


  • The IP Paperclip Project Ltd.
  • Spyder Lab
  • Christopher Allen (@ChristopherA@mastodon.social)
  • BehzadA
  • Dream Hollow
  • Pamphile Roy
  • Serkan Holat
  • David’s Alter (Algo) Ego
  • Thorsten Behrens
  • Stefano Maffulli
  • Mikaël Barbero
  • Ludovic
  • Guiloubs
  • Henri Sivonen
  • Arnaud J Le Hors @lehors@w3c.social
  • Nicola Soranzo
  • Matthias Sohn
  • pchestek@fosstodon.org
  • Murad
  • Florian Idelberger
  • laker
  • Josh Simmons
  • Andy Piper
  • Tony Bark :fbdj: :verified:
  • FrazzledWings 🦇
  • Giovanni Battista Gallus
  • Simon Phipps
  • Lari Lohikoski
  • erAck
  • @aeva@tech.lgbt
  • Openhuman
  • P.J. Meisch
  • anierbeck
  • Rochelle Grober
  • Matt Sicker
  • Horváth Bálint
  • raise_project
  • FrankM@nrw.social
  • 胡椒羊毛 Pepperwool
  • karadanvers@follow.darn.social
  • aid85
  • Danny
  • Felix B.
  • Brian McGonagill
  • OSIL México
  • Monica Ayhens-Madon
  • ona [she/they]
  • Chris “Woody” Woodruff
  • karadanvers@follow.darn.social
  • Kinmen Rising Project-金門最後才子🇺🇦
  • pchestek@fosstodon.org
  • Josh Simmons
  • Gina Häußge
  • Matt Sicker
  • Esther Payne 🏴󠁧󠁢󠁳󠁣󠁴󠁿
  • Real Social Networks
  • Patrick Masson
  • Whreq Jnnyobre
  • smallcircles (Humane Tech Now)
  • Andreas Kuckartz
  • Christian Tramnitz
  • Pedro Mendes
  • Walter van Holst
  • Thierry Carrez
  • Thorsten Behrens
  • Software, tecnología y negocios.