Thanks to the Eclipse Foundation, and as a member of the Open Regulatory Compliance Working Group (ORC WG), I had the opportunity to participate in a panel at an exciting event on the Cyber Resilience Act (CRA), organized as a prelude to FOSDEM!
We explored the impact of this regulation on the open source ecosystem, its legal implications, and the challenges we face together. It was an incredible opportunity to learn, debate, and co-create solutions for stronger cybersecurity resilience.
Day 1: Panel Discussion on the Cyber Resilience Act
The first day featured a 45-minute discussion with fellow panelists on the challenges posed by the CRA. The exchange was rich and insightful, thanks to the diversity of perspectives represented. I particularly appreciated the presence of a representative from DG Connect at the European Commission, which underscored the importance of dialogue between industry stakeholders and regulators.
Day 2: Workshop and Practical Solutions
The second day took a more hands-on approach with a workshop format, allowing for detailed discussions and collaborative problem-solving around the application of the CRA to open source projects. I facilitated a session on the legal requirements of the CRA and how to fulfill them in an open source context. To make progress, we documented key issues on a dedicated GitHub repository.
Many questions arose from these discussions. The practical challenges open source developers may face became clearer to me through this exchange. While we managed to clarify some important points—such as how monetization might bring open source projects within the CRA’s scope—some aspects remain unresolved or ambiguous.
Key Takeaways & Open Questions
One key discussion centered on how open source contributors could facilitate compliance for integrators. While an interesting idea, it raises concerns: should unpaid contributors be responsible for ensuring that commercial manufacturers—who profit from freely available software—have an easier time complying? In this framework, there is also a risk that contributors could be classified as manufacturers under the CRA, potentially exposing them to new liabilities.
Moreover, some participants raised concerns that SMEs currently based on an open source model may opt to go proprietary to sidestep regulatory uncertainty.
Additionally, an important question was raised: when an open source developer sells services around their software, how do we assess whether they qualify as a manufacturer? If they make a profit but reinvest all earnings into their business structure, does that constitute a commercial activity that would trigger manufacturer status under the CRA? While there is some guidance in the recitals of the CRA, this is not sufficient because recitals are not binding. That is why more explanation from the Commission is needed on how to deal with these situations.
A relevant perspective comes from Digital Europe, which has proposed clarifications regarding Free and Open Source Software (FOSS). According to their recommendations:
-
Upstream open-source organizations should not be considered manufacturers under the CRA.
-
FOSS may be classified as a product once it enters commercial circulation. However, clearer examples of activities that should not be deemed commercial are needed.
-
The CRA’s focus on making products available in the EU poses challenges for FOSS due to its global nature. Guidelines should limit this concept to ready-to-use open-source packages for commercial use, specifically targeting companies integrating or offering open-source products in the EU market.
Internal Reflections on Our Own Products
Beyond the discussions at the event, these questions also resonate internally when assessing the implications of the CRA on the products we commercialize (or not). We need to carefully review the software and services we provide to determine whether they fall under the CRA’s scope and what compliance measures would be required. This highlights the broader challenge for organizations working with open source: navigating legal uncertainties while maintaining the benefits of an open development model.
Looking Ahead: The possible Strengthen Role of Open Source Foundations
What emerged from these two days is that, as regulatory complexity increases, a shift toward open source foundations as compliance intermediaries (and open source stewards) may become inevitable.
While discussions between open source stakeholders, such as those during this workshop, help the community progress toward compliance, there are still points that need clarification. In this regard, the European Commission’s forthcoming guidelines are highly anticipated and will be crucial in providing clarity on key aspects of the CRA.
More discussions will be needed, but one thing is clear: the CRA will have a profound impact on open source, and collective action is essential to navigate this new landscape.