What is the Cyber Resilience Act and why it’s dangerous for Open Source

The Cyber Resilience Act (CRA) is an interesting and important proposal for a European law that aims to drive the safety and integrity of software of all kinds by extending the “CE” self-attestation mark to software. And it may harm Open Source. The proposal includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA including security, privacy and the absence of Critical Vulnerability Events (CVEs).

OSI has submitted the following information to the European Commission’s request for input on its proposed Cyber Resilience Act text.

We recognise that the European Commission has framed an exception in recital 10 attempting to ensure these provisions do not accidentally impact Open Source software. However, drawing on more than two decades of experience, we at the Open Source Initiative can clearly see that the current text will cause extensive problems for Open Source software. The problems arise from ambiguities in the wording and a framing which does not match the way Open Source communities actually function and their participants are motivated.

First, for those distributing software as a community function to confidently rely on the exclusion, this absolutely must be inserted as an article and the “should” must be changed to “shall”.

Second, since the goal is—or should be—to avoid harming Open Source software, which the European Commission is working hard to support, this goal should be stated at the start of the paragraph as the rationale, replacing the introductory wording about avoiding harm to “research and innovation” to avoid over-narrowing the exception.

Thirdly, the reference to “non-commercial” as a qualifier should be substituted. The term “commercial” has always led to legal uncertainty for software and is a term which should not be applied in the context of open source as specific commercial uses of open source projects by some users are frequently disconnected from the motivations and potential compensation of the wider community of maintainers. The software itself is thus independent of its later commercial application.The problem is not the lack of a taxonomy of “commercial”, it is the very act of making “commercial” the qualification rather than, for example, “deployment for trade”. Thus adding a taxonomy of commerciality is not a solution. OSI would be pleased to collaborate over better approaches to qualifying an exception.

To illustrate the concern our community feels, we wish to highlight an analysis by OSI affiliate Eclipse Foundation, based in Brussels. While they note that, with staff and financial resources, they are “in a better position than most” to deal with such requirements, they conclude that “we fear that the obligations set forth by the legislation will cripple the Eclipse Foundation and its community.”

OSI’s recommendation

The Open Source Initiative assumes the Act is not intended to negatively impact the communities that make Open Source software or burden the non-profit foundations that support them.

Therefore OSI recommends further work on the Open Source exception to the requirements within the body of the Act to exclude all activities prior to commercial deployment of the software and to clearly ensure that responsibility for CE marks does not rest with any actor who is not a direct commercial beneficiary of deployment. Leaving the text as it is could chill or even prevent availability of globally-maintained open source software in Europe. We also support the more detailed analysis we have co-signed with Open Forum Europe.


  1. Software, tecnología y negocios. Avatar
  2. Thierry Carrez Avatar
  3. Thorsten Behrens Avatar
  4. Walter van Holst Avatar
  5. Pedro Mendes Avatar
  6. Christian Tramnitz Avatar
  7. Andreas Kuckartz Avatar
  8. smallcircles (Humane Tech Now) Avatar
  9. Whreq Jnnyobre Avatar
  10. Patrick Masson Avatar
  11. Real Social Networks Avatar
  12. Esther Payne ??????? Avatar
  13. Matt Sicker Avatar
  14. Gina Häußge Avatar
  15. Josh Simmons Avatar
  16. pchestek@fosstodon.org Avatar
  17. Kinmen Rising Project-金門最後才子?? Avatar
  18. karadanvers@follow.darn.social Avatar
  19. Chris "Woody" Woodruff Avatar
  20. ona [she/they] Avatar
  21. Monica Ayhens-Madon Avatar
  22. OSIL México Avatar
  23. Brian McGonagill Avatar
  24. Felix B. Avatar
  25. Danny Avatar
  26. aid85 Avatar
  27. karadanvers@follow.darn.social Avatar
  28. 胡椒羊毛 Pepperwool Avatar
  29. FrankM@nrw.social Avatar
  30. raise_project Avatar
  31. Horváth Bálint Avatar
  32. Horváth Bálint Avatar
  33. Matt Sicker Avatar
  34. Rochelle Grober Avatar
  35. anierbeck Avatar
  36. John Oestmann Avatar
  37. P.J. Meisch Avatar
  38. Openhuman Avatar
  39. CK's Technology News Avatar
  40. Jordi Mon Companys Avatar
  41. Open Source Initiative :osi: Avatar
  42. @aeva@tech.lgbt Avatar
  43. erAck Avatar
  44. Lari Lohikoski Avatar
  45. Simon Phipps Avatar
  46. Giovanni Battista Gallus Avatar
  47. FrazzledWings ? Avatar
  48. Tony Bark :fbdj: :verified: Avatar
  49. Andy Piper Avatar
  50. Josh Simmons Avatar
  51. laker Avatar
  52. Florian Idelberger Avatar
  53. Murad Avatar
  54. pchestek@fosstodon.org Avatar
  55. Matthias Sohn Avatar
  56. Nicola Soranzo Avatar
  57. Arnaud J Le Hors @lehors@w3c.social Avatar
  58. Henri Sivonen Avatar
  59. Guiloubs Avatar
  60. Ludovic Avatar
  61. Mikaël Barbero Avatar
  62. Stefano Maffulli Avatar
  63. Thorsten Behrens Avatar
  64. David's Alter (Algo) Ego Avatar
  65. Serkan Holat Avatar
  66. Serkan Holat Avatar
  67. Pamphile Roy Avatar
  68. Dream Hollow Avatar
  69. What is the Cyber Resilience Act and why it’s dangerous for Open Source - Voices of Open Source - Lemmy Avatar
  70. BehzadA Avatar
  71. Christopher Allen (@ChristopherA@mastodon.social) Avatar
  72. Angsuman Chakraborty Avatar
  73. 20i Avatar
  74. Spyder Lab Avatar
  75. The IP Paperclip Project Ltd. Avatar
  76. PiZ Avatar