The European Cyber ​​Resilience Act places strict security requirements on software developers. Even open source software is not immune. But the proposed rules could jeopardize the future of open source, industry stakeholders warn.

The European Union is fully committed to putting the main features of the Cyber ​​Resilience Act on paper. The law is an ambitious attempt to impose clear rules on cyber security on manufacturers of hardware and software. Manufacturers who do not take the safety of their products too seriously risk heavy fines and/or a ban on selling their product(s) on the European market. With this, Europe hopes to be able to reduce the number of cyber attacks.

But the current draft law is not without controversy. The open source community in particular is sounding the alarm. Thirteen interest groups signed an open letter to the European Union to review the rules on open source software. This joint statement was clearly reinforced at the recent KubeCon conference in Amsterdam.

No one-way traffic

During the fair we meet Gabriele Columbro, General Manager of the Linux Foundation Europe, who co-signed the open letter to speak about this sensitive topic. “To be clear, I support the goals of the Cyber ​​Resilience Act. It is good that the European Union is taking action on cybersecurity. But the proposed rules could discourage developers from launching open source projects for fear of liability.”

Columbro sees two major problems in the legal text. First and foremost, the European Union treats open source on the same level as classic software, while open source software operates under a completely different market mechanism. Columbro clarifies: “Open source is a much more complex ecosystem that is not a one-way street like commercial software”

The law therefore provides an exception for open source that is not used for commercial purposes. Too vague a description, says Columbro. “I agree that companies selling open source software should be held accountable, but when is software commercial? For example, look at GitHub: Git is offered for free, but behind it is a company with commercial purposes. Should they then be held accountable for every project developed with GitHub?”

“We are in dialogue with European authorities to work out changes that better preserve the uniqueness of open source software,” continues Columbro. “Clear definitions are needed to distinguish between commercial and non-commercial software. We also hope that platforms and foundations will be exempted.”

“I agree that companies selling open source software should be held accountable, but when is software commercial?”

Gabriele Colombro, Linux Foundation Europe

Everyone plays a role

Open source software security is a topic that is very much alive during the latest edition(s) of KubeCon. Columbro: “The vulnerability in Log4Shell was a strong wake-up call for companies using open source software without a system to fix bugs. Everyone has a role to play in security, vendors first of course. It is important that companies continue to invest in upstream bug fixes; this should be able to be extended to software licensing as well.”

Columbro sees collaboration as key to keeping open source software secure. “We need global safety standards, they already exist. Separate rules for European industry can lead to excessive fragmentation. There is also a need for more academic research in this area and training for developers.”

“Ultimately, security is part of the broader discussion about the sustainability of the open source ecosystem,” Columbro continues his argument. “We also have to look at how we can better support software administrators in their work. You often have to do it alone: ​​the stereotypical image of the single developer is not exaggerated. Support can be provided through contributions to projects, but also through the establishment of funds. Luckily the community is catching up.”

techno-nationalism

Security risks and regulations aren’t the only issues worrying the Linux Foundation. The non-profit organization released a study in January to warn of a rise in “techno-nationalism” in Europe. Research uses this term to describe geopolitical strategies to shield technologies from political opponents. Problematic for open source, which by definition stands for an open ecosystem.

“Today, technology has become a fundamental part of the geopolitical strategy of policymakers,” Columbro clarifies. “Political conflicts create a fragmented market and the research we have conducted has opened our eyes to the fact that this is also becoming a real problem in Europe. When you start excluding certain parties from technologies, competition also arises in areas where this is less desirable, such as B. Security.”

The Linux Foundation Europe was founded in Brussels in September 2022. According to Columbro, this is an important strategic step in the current political context. “The European Union is a prime example of how states can work towards common goals. Open source software is also an important part of Europe’s digital strategy. Regional initiatives are needed, although it should certainly not be the intention to form a European group. On the contrary, we want to act as a springboard for global projects.”

“When you start excluding parties from technologies, competition also arises in areas where it is less desirable.”

Gabriele Colombro, Linux Foundation Europe

side effects

Columbro likes to end the conversation on a positive note. “Europe traditionally has a strong open source community. Many of our members are European organisations. During KubeCon it became clear that the community is stronger than ever. One could say that the belief in cooperation is inherent in the European vision. With Sylva and OpenWallet we have some strong projects going that clearly show what we can achieve with open source.”

Columbro is convinced that open source software will always play an important role in the European technology sector. “Europe doesn’t have big tech companies like the United States. Open source therefore often offers the best opportunity for European companies to bring their technologies to a global audience. If we can eliminate all ‘undesirable side effects’ then open source has a bright future.”