The European Union (EU) should consider replicating the US government’s approach to open source software regulation with its Cyber Resilience Act (CRA), according to a leading expert.
Speaking to ITPro at KubeCon 2023, Gabriele Columbro, general manager for the Linux Foundation in Europe, said the CRA’s current iteration would “change the entire community dynamic” and hamper European businesses.
An open letter signed this week by major industry organizations, including Linux Foundation Europe, said the proposal in its current form will have a “chilling effect” on open source software development.
Under the current iteration, open source developers themselves would be held liable for vulnerabilities in software.
By contrast, the US government’s Cyber Security Strategy, unveiled in February this year, excluded liability for open source software developers and projects.
The decision was hailed at the time as a highly positive move from the Biden administration.
Columbro warned that the EU’s current approach could have a significant impact on the European open source community if the bill was to pass in its current form.
RELATED RESOURCE
Automating application-driven container elasticity
For platform and DevOps engineers looking to operationalize speed to market while assuring application performance
“I think this will have an impact at multiple levels,” he said. “The one I’m worried about the most is what this will mean for our contributors. I think the Linux Foundation and others will feel an impact, but we’re maybe better positioned than others to address those.”
“In the worst-case scenario, individual contributors could be worried that they’ll be slapped with lawsuits and eventually just decide not to put a project in the open.”
Columbro noted that the inclusion of liability for open source projects appears ‘idiosyncratic’ due to the fact that Europe actively benefits from open source projects and software.
Millions of businesses spread across 27 member states rely on open source software, which is developed and maintained by a dedicated pan-continental community.
The entire community dynamic will change,” he said. “And this would primarily hamper Europe. Because outside of Europe, open source innovation will continue - will GitHub have to block open source downloads from inside Europe?”
“Europe bets a lot on open source, but with this it shoots itself in the foot.”
The CRA’s wider failings
Columbro noted that with the EU’s approach to open source software, which appears to have been influenced by the disastrous Log4shell incident, there are particular differences. Not least of all with regard to national security concerns.
In the wake of Log4Shell, the White House actively sought to engage with software vendors and open source communities such as the Linux Foundation to plan its future approach and mitigate potential supply chain risks.
But this was from a national security perspective, he added. The US government has a national security mandate while the EU does not, instead delegating national security to individual member states.
This creates somewhat of a headache for the Linux Foundation and other communities, he said, who are now faced with engaging with multiple different governments across the union.
“The reason the US was so quick in the wake of Log4shell to bring together the Linux Foundation, Apache Software Foundation, and all the major tech vendors to discuss the response was, of course, from the angle of securing their critical infrastructure and national security.”
“That’s because the federal government in the US has a national security mandate. The EU doesn’t have a national security mandate, that is delegated to individual sovereign states.
“That is a completely different approach that we need to take as an open source community to work with the 27 member states. But that’s a more humongous approach.”
Positive engagement
Columbro’s comments follow the open letter’s publication and he is confident that this could spark a positive discussion - and outcome - about CRA-related concerns.
“The intent of the open letter was to offer up a global, broad consensus with deep experience in this world as foundations,” he said.
“It was really to let the European Union know that we can work together with each other and we want to create an ongoing dialogue and offer up a conversation to help refine [the act].”
“I do think, ultimately, that there is definitely willingness from the EU to improve. I am positive that there is going to be a positive outcome to the CRA,” he added.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Big tech promised developers productivity gains with AI tools – now they’re being rendered obsoleteOpinion Big tech promised software developers huge benefits with AI tools, but now they face job cuts as companies ramp up automation.
-
Anthropic’s new AI model could be a game changer for developers: Claude Opus 4 ‘pushes the boundaries in coding’, dramatically outperforms OpenAI’s GPT-4.1, and can code independently for seven hoursNews Claude Opus 4 boasts huge performance capabilities and is fine-tuned for software developers.
-
‘It’s far from showing its age’: Java might’ve just turned 30, but it’s still going strong and here to stayNews With Java celebrating its 30th anniversary, we look at the rise of the programming language and what the future holds.
-
Python’s popularity shows no signs of fading – here’s why software developers love itNews Python remains highly popular among developers for a number of key reasons, experts told ITPro.
-
AWS expands language support for Amazon Q DeveloperNews AWS has expanded support for languages in Amazon Q Developer, making it easier for developers to code in their first language.
-
AI was a harbinger of doom for low-code solutions, but peaceful coexistence is possible – developers still love the time savings and simplicity despite the allure of popular AI coding toolsNews The impact of AI coding tools on the low-code market hasn't been quite as disastrous as predicted
-
‘We’re trading deep understanding for quick fixes’: Junior software developers lack coding skills because of an overreliance on AI tools – and it could spell trouble for the future of developmentNews Junior software developers may lack coding skills because of an overreliance on AI tools, industry experts suggest.
-
GitHub's new 'Agent Mode' feature lets AI take the reins for developersNews GitHub has unveiled the launch of 'Agent Mode' - a new agentic AI feature aimed at automating developer activities.
