Why the European Commission must consult the Open Source communities

A crucial problem with the Impact Assessment of the Cyber Resilience Act (CRA) is that no Open Source communities or community fiduciaries were consulted as stakeholders. The lack of consultation with the Open Source communities would explain the possible origin of a serious defect in terminology.

The Impact Assessment Annex 2 (Pdf), sections 2-4 lists the consulted stakeholders and Open Source communities aren’t there. During a FOSDEM Main Stage panel, the European Commission’s policy officers explained they had been working on the language of the updates to the Public Liability Directive (PLD) and CRA for a significant time. When asked why they had not consulted the community until now (at 1:27:45 on the video), they replied it was the community’s responsibility to find out about their work and show up to published consultations.

It is not enough to expect the Open Source ecosystem to spontaneously show up – it is not structured in a way that makes that likely. In any case, the consultation process has no category for individuals who make economically significant works outside the role of “Company” or “Workforce.” In other words, there were no consultations aimed at the community. At best we will show up late in the process asking why no-one called, as we are now.

It is not unreasonable to ask to be treated in a way respectful of these realities; the process does so for SMEs. Section 4 of Annex 2 observes “However, it has been very difficult to get substantial input from SMEs.” As a result, there was extensive, targeted outreach to SMEs resulting in significant inputs. No equivalent effort was made to reach out to Open Source charities like OSI, or to significant fiduciaries like Apache, Eclipse or Python.

It’s great that companies in the Open Source ecosystem do show up in consultations, and I know of a number who have lobbyists in Brussels. But they cannot be relied upon to explain or even consider the perspectives of the significant number of community participants either outside their interest area or even opposed to it.

It is very important to find ways to give a voice to the true community and not just its corporate members. Open Source is a social movement with software artifacts and market consequences. Paying heed only to the latter (or even the latter two) is an inadequate approach. You can’t proxy through SMEs, let alone multinationals and their lobbyists.

This is a serious and persistent issue with the Commission’s work; they need to become aware that when proposals affect the Open Source ecosystem (of which the Open Source software market they value is a part, but not the whole), it is essential for them to treat the members of that ecosystem as key stakeholders and make at least as much of an effort to reach out to them as they do to SMEs — possibly more.

This article first appeared on Webmink in Draft.

Photo of Brussels In Your Own Time sculpture by Simon Phipps


  1. Jordi Mon Companys Avatar
  2. Simon Phipps Avatar
  3. Abraxas3d W5NYV Avatar
  4. @aeva@tech.lgbt Avatar
  5. KF7CCC Avatar
  6. Makoto Avatar
  7. Ulf Avatar
  8. CK's Technology News Avatar
  9. Stefano Zacchiroli Avatar
  10. Jocix ??❤️?? Avatar
  11. æva ( ?️‍⚧️?️ arc ) Avatar
  12. æva ( ?️‍⚧️?️ arc ) Avatar
  13. æva ( ?️‍⚧️?️ arc ) Avatar
  14. Brian Smith Avatar
  15. Kenneth John Bardsley Avatar
  16. Andreas, DJ3EI, he/him Avatar
  17. tommaso dl6plz (iu5fho) Avatar
  18. Volt4ire Avatar
  19. ‏لوللزمن عن نية الغدر شيمه Avatar
  20. Saulo Jacques Avatar
  21. Saulo Jacques Avatar
  22. Saulo Jacques Avatar
  23. datenimperator Avatar
  24. Simon Phipps Avatar
  25. Bart Janssens 🇧🇪 Avatar
  26. Bjoern Michaelsen Avatar
  27. Peter Flynn ✅ Avatar