An amendment to the EU Cyber Resilience Act (CRA) has changed the widely accepted definition of open source software, which has the potential to lead to confusion across the open source community.
Towards the end of December 2023, Raul Milani, the chair of the Council of the European Union’s Committee of the Permanent Representatives of the Governments of the Member States (COREPER) to the EU Regulation, sent a letter to the EU commissioner Thierry Breton covering horizontal cyber security requirements. The amendment, which is set to become part of the EU CRA, includes references to free and open source components that are embedded in digital products.
The CRA final text states: “Free and open-source software is understood as software the source code of which is openly shared and the licence of which provides for all rights to make it freely accessible, usable, modifiable and redistributable. Free and open-source software is developed, maintained, and distributed openly, including via online platforms.”
Amanda Brock, CEO of OpenUK, said that the wording fails to align with the definitions used previously by the European Commission and ignores the accepted definition of open source software and the long-established free software definition.
Discussing the implications of the changes, Brock said the EU has attempted to provide some guidance for those developers who commercialise their open source products. But she said that as a community, the open source community lacks sufficient funding to hire expensive lawyers to go through the amendment to the EU Cybersecurity Act.
“Open source developers are trying to understand complicated legislation with the wording that, even for someone like me who has worked 25 years as a lawyer, really needs to [have someone] sit, concentrate and think about it.”
She noted that the CRA has also set a new requirement of open development in open source code. “Neither free nor open source software has historically been subject to a requirement of open development. Code can and regularly is open source but developed in private, then shared or open sourced at a later stage,” Brock added.
Developers typically build new software privately and then make the source code available as open source at a later date. This is commonly referred to as delayed open source and occurs when companies experiment with various business models to keep exclusive rights to the code they develop for a limited duration.
Brock said that the amendment to the CRA shows that policymakers in the EU “don’t understand how technology works”. She said: “It’s concerning that we’re seeing regulation come out that people who make their income from supporting open source are going to be expected to comply with. It is so complex and is causing confusion within the open source community.”