The Python Software Foundation (PSF) fears that proposed EU cybersecurity laws could make open-source organizations liable for distributing buggy code.

“If the proposed law is enforced as currently written, the authors of open-source components could have legal and financial responsibility for how their components are used in someone else’s commercial product,” the PSF said in a statement.

European legislators introduced two laws last year that deal with software security and liability. From the start, the tech community has bucked the rules.

Cyber ​​Resilience Act

The Cyber ​​Resilience Act (CRA) requires product manufacturers to assess product security, implement vulnerability mitigation procedures, and communicate security information to customers. The law aims to improve the security of digital products.

If a software vendor fails to meet the requirements, fines can be as high as €15 million or 2.5 percent of annual revenue, whichever is greater. The CRA is subject to approval by the European Parliament and the European Council.

Product Liability Act

The Product Liability Act supplements the European product liability regulations with digital product changes through software updates. The law allows consumers to claim damages if they are damaged by products that have become unsafe after a software upgrade.

European regulations discourage open source contributions

The PSF urges European lawmakers to clarify the broad language in the proposed legislation. This is to ensure that open source organizations and developers are not held responsible for bugs in commercial products that use their code.

“Under current language, the PSF could potentially be held financially liable for any product containing Python code if it never made any financial gain from any of those products,” the PSF says. Adding such a risk would make it impossible for the Foundation to continue offering Python and PyPI (the Python Package Index) in Europe.