Cyber Resilience Act: A Sword of Damocles Hanging over Free Software

The European Commission is promoting the Cyber Resilience Act, a draft regulation on the strengthening of cyber-security rules aimed at ensuring more secure hardware and software products. Unfortunately, as often happens, the Commission's approach seems to reflect a strictly business-oriented vision, based on the vertical and centralized model of the Big Tech companies developing proprietary software. This regulation poses a very serious threat to free software, as evidenced by a letter cosigned by a group of organizations from the European free software ecosystem.

IT security, as long as it serves users and is controlled by them, is an important condition for exercising computer freedoms as a whole. The various free software development methods, which, following scientific methods, are based on, among other things, transparency, reproducibility, and collaboration are much more conducive to security than a model based on a top-down and opaque approach. In any case, security per se cannot be a sufficient excuse to justify reducing fundamental freedoms. Any “security” measure must meet the principles of proportionality and strict necessity. This holds as true for IT as it does for everything else.

Acting for better IT security is a laudable goal, and, in any event, is a completely legitimate political lever in the hands of the European Commission; however, the Commission cannot use it without taking actual practices into account, nor can it do so without consulting stakeholders. In an open letter addressed to the Members of the European Parliament and the Council of the European Union, organizations involved in the free software ecosystem at the European level expressed their deep concern and highlighted how free software communities had not been consulted, even though “in Europe, free software accounts for over 70% of the software in digital products”.

The Commission wants to impose from the top down a methodology based on “EC marking”, which entails a very strong liability for those who produce and distribute code. Under this regulation, people producing or distributing code would individually be responsible for its security. The problem is that most free software is developed by volunteers or small projects with very little resources. They don't have the financial and human means to carry out the heavy and complex procedures that the proposed regulation would entail, including in terms of certification.

This stance is all the more paradoxical since the European Commission seems to acknowledge the importance of free software as part of the technological foundation of the internet, notably as regards security. The Commission has led projects whose goals were precisely to foster the security of critical free software. The EU-FOSSA initiative, European Union Free and Open Source Software Auditing, has been giving out bounties for the detection of security vulnerabilities in the free software products used by European institutions. Yet, instead of strengthening this essential technological resource in Europe, the Cyber Resilience Act would invalidate it, all while the rest of the world kept on using and developing it. Thus, as a side effect of its regulation, the Commission would seriously deprive and hobble European industry.

The organizations that signed the open letter, including the CNLL (Union of Open Technology Companies, a French NGO) in its press release (in French), call attention to the risks that the Cyber Resilience Act would impose on the European free software field, which, according to the CNLL, brings “30 billion euros in direct revenues and 100 billion euros in total economical impact”. By forcing such a strong liability on free software companies — with no regard to any potential contractual relationship with the users — this proposal shows a deep lack of understanding of free software products, their specific development methods, and their supporting communities. Let's recall, for instance, that free software companies didn't wait for the Commission to offer maintenance and/or insurance contracts, different from code development.

In its draft regulation, the Commission clearly tries to show that it took free software into account; however, far from being convincing, it, once again, demonstrates a deep lack of knowledge. In one recital — not in an actual article — the regulation makes an exception for free software developed or supplied in the course of noncommercial activities. But the scope of noncommercial activities is so restrictive that the exception is rendered meaningless1. For instance, code published on platforms such as Github or Gitlab would fall under the heavy obligations provided by the regulation, because they offer paying services to users in addition.

The Cyber Resilience Act could have a detrimental and deterring effect on the development and use of free software in Europe and probably, by ripple effect, at a more global level. One can easily imagine a company choosing not to use free software components from third parties in its own solutions, and using proprietary software instead, so that it didn't need to handle the proactive maintenance of these third-party components.

April reminds the European Commission of its past positions on free software2, which were supposed to be ambitious, even though the Cyber Resilience Act reveals a top-down and centralized representation of IT. If the Commission doesn't want to seriously undermine all the benefits of free software that it claims to support (openness, sovereignty, innovation, etc.), it needs to listen very attentively to all the stakeholders in the free software ecosystem, and then thoroughly rework its proposal.