The community of open-source developers and programmers has positioned itself against the new Cyber Resilience Law that the European Union has proposed. They argue that even though 70% of software development in Europe is open source, making security a concern, the propsed law will greatly harm the sector because these developers do not have sufficient resources to keep security patches up to date.
The European Union is taking 2023’s new challenges of digitalization and Artificial Intelligence very seriously. The first EU-wide regulation to moderate the use of AI was recently approved, and now the EU wants to push forward with another regulation to tackle the use of AI. cybersecurity on all software and hardware products, to keep them up to date with security patches and fixes.
However, the first detractors of the proposal have already emerged. This is a group of free or open source developers and programmers. These developers, through an open letter to the European Commission, have expressed their dissatisfaction with the future law, stating that it will have “a devastating effect” on their work.
Linux Foundation Europe, Eclipse Foundation, and Open Source Initiative have been the biggest organizations to sign the charter, though others have signed as well. Their primary problem with this Act is thatopen-source programmers do not have sufficient resources to make security patches and updates to open-source products. They also criticize the harshness of the suggested penalties, which can reach up to 15 million euros.
“Free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation.”
Free or open-source software is when software’s source code is published under an open-source license, i.e. ‘anyone’ can access it without having to pay patents or copyrights. This is the opposite of closed-source applications such as Microsoft, Adobe, etc.
According to IBM, open source also refers to the community of developers who create any intellectual property through principles of open collaboration, transparency and inclusion.
Therefore, users of this type of software complain that, despite doing their work in good faith and with the aim of improving and helping the community, they have had responsibilities imposed upon them that do not match their modus operandi.This could result in them abandoning their projects. The core problem is that the EU wants to regulate everything in the same way so that everything is perfectly measured, but reality is more complicated.
Not everyone involved has the same resources to keep their software products up to date on a daily basis, not to mention the millions of dollars in fines and penalties if developers do not comply with the law.
Because of this, organizations such as Digital Europe have expressed in an official statement that it is necessary to better define what is meant by commercial activity for software, to clarify when open-source software has to comply with the requirements of this future law. They added that it is harmful to warn people about vulnerabilities in a product that has not yet been patched.
In conclusion, the goal of open-source organizations over the next month will be to correct these problems and negotiate with the European Union. A final technical meeting is scheduled for July 6, and the text should be finalized by July 19 so that the proposal can be voted on by the European Parliament after the summer.
Regardless of the outcome, both the European Union and the European Commission should listen more to all players in the European business cyber landscape to improve IT security for all, both individuals and professionals.