In a recent conversation at the Open Source Summit in Bilbao, Spain, Gabriel Colombo, the General Manager of the Linux Foundation Europe and the Executive Director of the Fintech Open Source Foundation, discussed the potential impact of the Cyber Resilience Act (CRA) on the open source community. The conversation shed light on the challenges and opportunities that the CRA presents to open source and how individuals and organizations can respond.

The conversation began by addressing the Cyber Resilience Act and its significance. Gabriel Colombo explained that while the Act is being touted as a measure to bolster cybersecurity and national security, it could have unintended consequences for the open source ecosystem, particularly in Europe. The Act, currently in the legislative process, aims to address cybersecurity concerns but could inadvertently hinder open source development and collaboration.

Jim Zemlin, the Executive Director of the Linux Foundation, had previously mentioned the importance of forks in open source development, emphasizing that they are a healthy aspect of the ecosystem. However, Colombo pointed out that the CRA could create a sense of unease, as it might deter people and companies from participating in open source projects or using open source software due to potential legal liabilities.

To grasp the implications of the CRA, Colombo explained some of the key provisions. The initial drafts of the Act proposed potential liability for individual developers, open source foundations, and package managers. This raised concerns about the open source supply chain's potential vulnerability and the distribution of liability.

As the Act evolves, the liability landscape has shifted somewhat. Individual developers may not be held liable unless they consistently receive donations from commercial companies. However, for open source foundations, especially those accepting recurring donations from commercial entities, there remains a concern about potential liabilities and the need to conform to the CRA's requirements.

Colombo emphasized that this issue isn't limited to Europe. It could impact the entire global open source ecosystem and affect the ability of European developers and small to medium-sized businesses to participate effectively.

The conversation highlighted the challenges open source communities face when engaging with policymakers. Open source is not structured like traditional corporations or industry consortiums, making it more challenging to present a unified front. Additionally, the legislative process can be slow and complex, which may not align with the rapid pace of technology development.

The lack of proactive engagement from the European Commission and the absence of open source communities in the initial consultations on the Act are concerning. The understanding of open source, its nuances, and the role it plays in the broader software supply chain appears limited within policy-making circles.

What Can Be Done?

Gabriel Colombo stressed the importance of awareness and education. It is vital for individuals, businesses, and open source foundations to understand the implications of the CRA. The Linux Foundation and other organizations have launched campaigns to provide information and resources to help stakeholders comprehend the Act's potential impact.

Being vocal and advocating for open source within your network, organization, and through public affairs channels can also make a difference. Engagement with policymakers, especially as the Act progresses through the legislative process, is crucial. Colombo encouraged businesses to emphasize the significance of open source in their operations and supply chains, making policymakers aware of how the CRA might affect their activities.

In the face of the Cyber Resilience Act, the open source community must unite and actively engage with policymakers. It's essential to educate and raise awareness about the potential impact of the Act and advocate for a balanced approach that strengthens cybersecurity without stifling open source innovation.

The Act's development is ongoing, and there is time for stakeholders to make their voices heard. With a united effort, the open source community can help shape the legislation to ensure that open source remains vibrant and resilient in the face of evolving cybersecurity challenges.

Learn more from The New Stack about open source and Linux Foundation Europe:

At Open Source Summit: Introducing Linux Foundation Europe

Making Europe's 'Romantic' Open Source World More Practical

Embracing Open Source for Greater Business Impact