What's the EU's problem with open source?

Blue futuristic Europe vector with hexagonal grids and light beams
(Image credit: Getty Images)

The open source community is very much at a critical juncture amid a period of regulatory uncertainty in the EU, with new legislation posing a threat to the industry. 

This week, a consortium of companies including GitHub, Creative Commons, and Hugging Face published a policy paper aimed at EU regulators requesting greater support for open source AI development in the upcoming AI Act. 

The coalition outlined a series of suggestions for EU lawmakers in the paper, making a number of requests. These included more concise definitions of AI components and greater support and leeway for open source research into the development of AI models. 

A key focus here centers around whether research and testing of AI models will be interpreted as “commercial activity” and thus subject to stringent rules under the act. 

Under the proposed EU guidelines, real-world testing of AI systems will not be granted exemption from the regulations, which the companies argued could be inhibitive to innovation and prove costly for enterprises. 

Instead, the coalition suggested a change in language to accommodate for testing which is done “on a limited scale with sufficient documentation and transparency to users”. 

“Research and development (R&D) is crucial to the development of beneficial, trustworthy AI systems,” the paper reads. 

“The act should recognize that some real-world testing, including preliminary exploration of a model’s appropriateness to specific deployment conditions and allowing scrutiny and evaluation by relevant civil society organizations outside of the development chain, can be necessary and appropriate for R&D.”

Warranted criticism

The policy paper is by no means a scathing criticism of the AI Act, but does contain suggestions on how regulators and open source developers might foster a closer relationship that fuels innovation. 

However, the paper does warn that, based on its current iteration, the Act risks creating “impractical barriers” for contributors in the ecosystem. 

“The AI Act holds promise to set a global precedent in regulating AI to address its risks while encouraging innovation,” the paper reads. 

“By supporting the blossoming open ecosystem approach to AI, the regulation has an important opportunity to further this goal through increased transparency and collaboration between stakeholders.”

“Unfortunately, current proposals threaten to create impractical barriers to and disadvantages for contributors to this open ecosystem,” it added. 

Peter Chichon, senior policy manager at GitHub, one of the leading voices in this discussion with regulators, warned in a blog post that the act risks “chilling open source AI development” and undermining “responsible innovation” across the union. 

Long-running concerns

Given recent clashes between regulators and the community, the move from GitHub et al should be welcomed and provide food for thought among lawmakers in the EU who appear determined to stifle open source innovation. 

This isn’t the first time industry stakeholders have, justifiably, raised concerns about restrictive policies from the union. 

The Brookings think tank published a report criticizing the proposals in September last year warning that the act would seriously undermine open source AI development and harm developers. 

Similarly, earlier this month, Wikipedia founder Jimmy Wales and OpenUK chief executive Amanda Brock suggested that the act’s stringent rules for open source developers could harm broader European AI ambitions and enable the US to “outpace” Europe in the space


Whitepaper with title, IDC logo, contributors photos, and background digital globe graphic

(Image credit: IBM)

The business value of IBM AI-powered automation solutions

Discover the IT improvements businesses are seeing with the adoption of automation.


Speaking during a roundtable discussion, Brock described the act as “very prescriptive” and suggested that exemptions for open source development “don’t go far enough”. 

“It’s not going to work,” she said. 

With such strong pushback - and repeated pushback from industry figureheads - EU regulators could be faced with the prospect of curtailing worrisome aspects of the legislation. 

But will it work? History tells us otherwise. Ahead of GDPR implementation in 2018, EU lawmakers fought off a wave of complaints and concerns from the industry and continued to steam ahead with plans. 

The EU has already brushed off complaints from industry big-hitters such as OpenAI, whose CEO Sam Altman warned earlier this year that the company could be forced to ‘pull out of Europe’ due to aspects of the regulation. 

Altman’s comments were met with a fierce response from lawmakers and later prompted a u-turn from the chief executive in a debacle that highlighted the unwavering resolve of regulators. 

Clashing heads with regulators

This current call to action also bears similarities to other battles we’ve seen between the open source community and regulators in recent months. 

In April, 13 open source industry bodies penned an open letter to EU lawmakers voicing concerns over the Cyber Resilience Act (CRA), arguing that aspects of the legislation would harm the open source community across Europe

The letter, signed by Linux Foundation Europe, the Open Source Initiative (OSI), and the Eclipse Foundation, said the proposals would have a “chilling effect” on open source software due to rules that would leave developers liable for software vulnerabilities. 

More recently, critics once again reared their heads ahead of a crunch vote in the European Parliament on the cyber act, claiming that in its current form, the legislation represents a “death knell” for open source in Europe. 

Despite this, MEPs on the Industry Committee nonetheless voted to back the draft bill, with 61 votes to 1 and 10 abstentions. 

Once again, lawmakers in the EU proved their resolve and reaffirmed their apparent disregard for the concerns raised by members of the open source community. 

This all begs the question of whether the EU views the open source industry as a valuable player within the broader technology landscape. While regulations are being pushed to protect consumers and businesses alike, there is no denying that significant pressure is being placed on the open source community, which offers valuable economic benefits. 

Millions of businesses spanning all 27 member states rely on open source software in their day-to-day operations. The vital applications and platforms that represent the lifeblood of the European tech economy are maintained by a dedicated community of developers, who in the EU’s eyes it seems cannot be trusted. 

With the European Parliament voting to adopt its position on the AI Act in June, time is fast running out for the open source community to see any meaningful changes implemented by lawmakers. 

And if the EU’s approach to the Cyber Resilience Act is anything to go by, it’s likely that the industry will be ignored and have stifling changes imposed on it that harm developers and long-term innovation.

Critics of EU regulations have warned that developers may choose to “back out” of projects as a result of the potential penalties, threatening one of the most celebrated corners of the industry.

Gabriele Columbro, general manager for the Linux Foundation in Europe, told ITPro in April that this could become a reality as contributors seek to avoid being “slapped with lawsuits”. 

If this proves to be the case, then the open source community, which is already stretched and becoming increasingly burnt out, could enter a dark period - and that spells trouble for innovation in Europe, undoubtedly harming businesses. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.