"Ill-informed" EU lawmakers risk blurring the definition of open source in Cyber Resilience Act

Blue futuristic Europe vector with hexagonal grids and light beams
(Image credit: Getty Images)

Open source advocates have criticized the EU’s Cyber Resilience Act (CRA), suggesting that the proposed legislation will create disarray for software developers across the union and create widespread confusion over liability rules.

The specific wording of the legislation is said to contradict previous definitions of open source technology established by the European Commission, according to Amanda Brock, chief executive of OpenUK

The final text of the Cyber Resilience Act states that “free and open-source software is understood as software, the source code of which is openly shared and the license of which provides for all rights to make it freely accessible, usable, modifiable and redistributable”.

However, Brock claims the ambiguous and confusing wording of open source in this instance leaves the act open to interpretation and could still leave developers at risk of inadvertently falling foul of regulations.

“It’s unclear why the Commission has chosen to refer to open source software in this way,” she said. “There is no explanation for its ignoring the accepted definition of open source software and the long established free software definition.”

“This wording also fails to align with the definitions used previously by the Commission.”

A key criticism of the act over the last year centered around rules that could see developers held liable for software vulnerabilities. A host of organizations, including the Linux Foundation, suggested it could create a “chilling effect” across the European ecosystem.

The community appeared to have been granted a reprieve in December when last-minute changes meant stringent rules would be relaxed, with the final draft exempting open source software developed without “commercial intent” from liability.

Brock noted that the text has a further review stage to pass in the legislative process. This, she said, represents an opportunity for the open source community to engage with lawmakers to ensure the correct definition is used to prevent future confusion for the ecosystem.

“It may be that the open source communities find it worthwhile to have a final push in the campaign against the CRA to encourage the Commission to use a corrected and established definition.”


An eBook from SecurityScorecard on how to measure your business' cyber resilience

(Image credit: SecurityScorecard)

Discover how your organization can enhance its cyber resilience with proactive threat intelligence


In its current form, the CRA will create an “extra layer to code to allow it to qualify as open source”, according to Brock, who added that requirements for developers could create “unintended barriers” and friction between the community and regulators.

“Neither free nor open source software has historically been subject to a requirement of open development,” she said. “Code can, and regularly, is open source but developed in private, then shared or open sourced at a later stage.

“This further and possibly unintended barrier to benefiting from the open source exception in this regulation will not be well received across the tech sector. Rather it will cause an unnecessary level of friction and confusion."

The EU’s war war of attrition with open source

Pushback against EU legislation from the open source community has been intense amid criticism that it could seriously hamper innovation in the European ecosystem. 

In July 2023, industry stakeholders described the Cyber Resilience Act as a “death knell” for the open source community

A close up image of the flag of the European Union featuring 12 stars

(Image credit: Getty Images/John Lamb)

What's the EU's problem with open source?

Speaking to ITPro at the time, Sonatype CTO Brian Fox said the act risked “severely undermining” open source projects across the union and could negatively impact broader efforts to improve cyber resilience.

Meanwhile, the EU AI Act was also a source of controversy, with industry advocates warning that restrictions placed on open source AI development could harm the union’s ability to compete with international counterparts.

In November 2023, tech policy group DigitalEurope said that EU AI startups “could be regulated out of existence”.

Brock said that rules around product liability both in the CRA and AI Act should be a serious cause for concern for European developers.

“Understanding what the Commission is trying to achieve in its approach to open source not only in the CRA but across AI and product liability regulation is important,” she said. 

“Is it attempting to narrow the code which will be caught in the exceptions by qualifying as free and open source software or has this simply come from being ill informed?”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.