The Cyber Resilience Act: The Exemption For Open Source

The European Institutions have reached a deal on the final text of the European regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act.

With our previous article on the Cyber Resilience Act we have analyzed the terms of the proposed legislation; we have also seen that over the last few months the open source community has consistently pointed out the flaws of the proposed regulation, explaining why the Cyber Resilience Act poses a risk to the development of open source software in Europe.

The text of the Cyber Resilience Act resulting from the "trilogue" now clarifies the exemption granted to open source software from the provisions of the regulation. That was indeed one the problems highlighted by the open source community in the previous version of the text.

Compliance costs

Among the criticisms to the Cyber Resilience Act, probably the most compelling one concerns the excessive compliance costs imposed on anyone who contributes to the development of a software. That is a problem particularly for the open source field, as projects are tipically developed as a collaborative effort, by many developers, often for free.

According to the previous version of the proposed regulation, anyone who contributes to a project by writing code would have to comply with the terms of the Cyber Resilience Act: requirements, responsibilities and the threat of hefty fines.

All of this has the potential to deter even the most committed open source enthusiast: who would ever want to participate in an open source project if that requires to comply with a complex, cumbersome and harsh legislation?

The exemption for open source

In the original text of the regulation an exemption was granted for open source software provided that the software was developed or supplied outside the course of a commercial activity.

However, the definition of commercial activity included any initiative which, although giving the software for free, would then offer other paid services, such as technical assistance. That is precisely the business model of many subjects active in the open source field, which therefore would have to comply with the regulation despite producing open source software without even monetizing it.

After an information and lobbying campaign led by the open source community, the text of the Cyber Resilience Act has been amended and it now clarifies the extent of the exemption granted to open source software. The text resulting from the "trilogue" now clarifies that the exemption applies as long as the software is not monetized by the manufacturer, regardless of how its development has been financed, whether by selling technical assistance or other services.

The mere circumstances under which the product has been developed, or how the development has been financed should therefore not be taken into account when determining the commercial or non-commercial nature of that activity. More specifically, for the purpose of this Regulation and in relation to the economic operators referred therein, to ensure that there is a clear distinction between the development and the supply phases, the provision of free and open-source software products with digital elements that are not monetised by their manufacturers is not considered a commercial activity.

Recital 10c

That's all?

That is a useful clarification and it saves many open source projects from requirements and obligations which would make them simply unsustainable. However, that doesn't change the fact that open source developers pursuing a commercial activity will still have to bear the increased compliance costs imposed by the Cyber Resilience Act: that is likely to wipe out of the market the small companies, less equipped to cope with the demanding requirements of the regulation. Moreover, this would also mean in many cases to get in the way of those developers writing code meant to increase cybersecurity.

only free and open-source software made available on the market, and therefore supplied for distribution or use in the course of a commercial activity should be covered by this Regulation.

Recital 10c

For further comments we will have to wait until the final version of the text is approved: however, chances are we may have to confirm what already said about the counterproductive and paradoxical effects of the Cyber Resilience Act:

  • an obstacle for small companies = less competitiveness for Europe;
  • a big favor to tech giants, better equipped to cope with higher compliance costs.
  • less cybersecurity.

What's next?

The text of the Cyber Resilience Act will now have to be formally approved by the European Parliament and the European Council; changes are still possible, although at this stage the text goes through mainly a legal linguistic revision. After the approval, the text will be published on the Official Journal of the European Union and will enter into force 20 days later.

After entering into force, the regulation will be enforceable after a transition period of 36 months. Certain obligations will apply sooner, after 21 months: that is the case for the obligations to report incidents and vulnerabilities.


About the author

Vincenzo Lalli

Vincenzo Lalli

Founder of Avvocloud.net

Avvocloud is an Italian network of lawyers passionate about law, innovation and technology.
Feel free to reach out for any info: send a message.

Thanks for reading!

Creative Commons License