The Cyber Resilience Act ‘CRA’ that came in September last year drafts a code-of-conduct following which the manufacturers of internet based software and hardware devices– including IoT devices, computer systems and smart phones– in Europe are bound to embed security into their products as well as report vulnerabilities that may exist afterwards. 

Penalties for non-compliance may include fines of up to €15 million, or 2.5% of global turnover.

Though manufacturers in the European Union welcomed the intention of the cyber resilience act, the open source bodies showed concerns over the economic and technological risk it imposes on the EU. More than a dozen open source bodies reached out to the European Commission (EC) at the start of this year writing an open letter that states “their voices are underrepresented in the development of the CRA ”.  

The letter reads:

“Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators.”

The Electronics Frontier Foundation (EFF) , which is an organization that protects the technology community from legal injustice, has also raised concerns over the current CRA principles. According to EFF, CRA poses significant damage to the open source community where individual developers code and build systems as an act of good-will and gratitude. These open source softwares are then utilized in almost one quarter of all electronic devices in Europe. Developers may receive money in the form of individual donations, employment in open source tech companies, or foundation grants for building their own systems.

As the CRA poses liability for all bodies involved in commercial activity, it also includes the open source community who gets paid via its traditional revenue streams. This way, following the act, if an open source developer even gets paid a penny, they would come under legal liability and the whole operation will be challenged. This would risk the development operations if developers lack funds.

EFF calls the open source development community of Europe to join in raising concerns and take their voices to the European Commission.

Apart from the individual developers and small-scale organizations, thirteen tech companies in the open source landscape also shared their views including Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI). According to them “[CPR] poses an unnecessary economic and technological risk to the EU.”

As the Act is currently in amendment stage, digital product development communities are making themselves knowledgeable on the impacts this potential law can have on their freedom and digital economy.

The Cyber Resilience Act ‘CRA’ that came in September last year drafts a code-of-conduct following which the manufacturers of internet based software and hardware devices– including IoT devices, computer systems and smart phones– in Europe are bound to embed security into their products as well as report vulnerabilities that may exist afterwards. 

Penalties for non-compliance may include fines of up to €15 million, or 2.5% of global turnover.

Though manufacturers in the European Union welcomed the intention of the cyber resilience act, the open source bodies showed concerns over the economic and technological risk it imposes on the EU. More than a dozen open source bodies reached out to the European Commission (EC) at the start of this year writing an open letter that states “their voices are underrepresented in the development of the CRA ”.  

The letter reads:

“Open source software represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators.”

The Electronics Frontier Foundation (EFF) , which is an organization that protects the technology community from legal injustice, has also raised concerns over the current CRA principles. According to EFF, CRA poses significant damage to the open source community where individual developers code and build systems as an act of good-will and gratitude. These open source softwares are then utilized in almost one quarter of all electronic devices in Europe. Developers may receive money in the form of individual donations, employment in open source tech companies, or foundation grants for building their own systems.

As the CRA poses liability for all bodies involved in commercial activity, it also includes the open source community who gets paid via its traditional revenue streams. This way, following the act, if an open source developer even gets paid a penny, they would come under legal liability and the whole operation will be challenged. This would risk the development operations if developers lack funds.

EFF calls the open source development community of Europe to join in raising concerns and take their voices to the European Commission.

Apart from the individual developers and small-scale organizations, thirteen tech companies in the open source landscape also shared their views including Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI). According to them “[CPR] poses an unnecessary economic and technological risk to the EU.”

As the Act is currently in amendment stage, digital product development communities are making themselves knowledgeable on the impacts this potential law can have on their freedom and digital economy.