Blog van Vrijschrift / ScriptumLibre

Letter from the Vrijschrift Foundation to the Dutch Parliament’s First and Second Chambers about the EU Cyber ​​Resilience Act proposal. (original Dutch version)

to: : Chairman of the Parliament Second Chamber Committee for Digital Affairs,
Chairman of the Parliament First Chamber committee for Justice and Security
from: Vrijschrift Foundation
concerns: EU Cyber ​​Resilience Act will harm competitiveness

Dear Mr Valstar,
Dear Mr. Dittrich,

The EU Cyber ​​Resilience Act (CRA) proposal aims to make products containing software and software itself more secure. [1] This objective is endorsed by Vrijschrift. The Minister of Economic Affairs and Climate has written to the Senate that concerns regarding open source software have been “extensively addressed” by means of a recital. However, recitals do not have independent legal force; the amendments of the Council of the EU are ineffective. The CRA, if adopted in this form, will seriously harm the open source ecosystem and the competitiveness of the European economy. We will explain this below.

Brief van Stichting Vrijschrift aan Eerste en Tweede Kamer over het EU Cyber Resilience Act voorstel.

aan: Voorzitter TK commissie voor Digitale Zaken,
Voorzitter EK commissie voor Justitie en Veiligheid
van: Stichting Vrijschrift
betreft: EU Cyber Resilience Act zal concurrentievermogen schaden

Zeer geachte heer Valstar,
Zeer geachte heer Dittrich,

Het EU Cyber Resilience Act (CRA) voorstel heeft tot doel producten met software en software zelf veiliger te maken. ¹ Deze doelstelling wordt door Vrijschrift onderschreven. De minister van Economische Zaken en Klimaat heeft aan de Eerste Kamer geschreven dat de zorgen met betrekking tot open source software door middel van een overweging “uitgebreid geadresseerd” zijn. Echter, overwegingen hebben geen zelfstandige rechtskracht; de amendementen van de Raad van de EU missen werking. De CRA zal, indien in deze vorm aangenomen, het open source ecosysteem en het concurrentievermogen van de Europese economie ernstig schaden. We zullen dit hieronder uiteenzetten.

The German Association of the Automotive Industry (VDA) published a brief position paper on the Cyber Resilience Act in relation to free and open source software. The Cyber Resilience Act (CRA) proposal aims at making products with software and software itself safer. The German car industry’s brief does a great job in explaining the importance of free and open source software (FOSS), and why the approach taken with the legislative proposal will harm the European economy. It’s a short paper, one and a half page, I encourage you to read it. I will discuss the paper and point to a possible solution.

The European Parliament Industry, Research and Energy Committee (ITRE) approved its report on the Cyber Resilience Act (CRA). It also voted for a fast track process. (updated ¹) The CRA is meant to strengthen software security.

Prior to the vote, many individuals and free and open source software organisations were very critical: EFF, FossForce, Bert Hubert 1, Bert Hubert 2, Team NLnet Labs, Apache Software Foundation, Opensource org, GitHub, CNLL, Vrijschrift, major industry associations, overview.

After the vote, organisations are just as critical. FossForce: Bad News for Open Source: EU Committee Approves the Cyber Resilience Act

“I’m discouraged that the proposed legislation has made it this far, and concerned that industry response so far is not robust enough to counter what is likely to be very damaging if it is enacted,” Joe Brockmeier, head of community at Percona said in a statement after the approval was announced.

The German automotive industry is worried about the impact of the legislative proposal. Joomla is. Inter-CMS Working Group:

However, in their current form, the proposed regulations run the risk of reducing software security, as well as undermining the EU’s core aims and values, as we explain below.

I haven’t been involved with the CRA earlier, and others are more knowledgeable regarding this proposal. In this blog I will limit myself to

(i) argue that the ITRE text violates the EU Joint practical guide by putting safeguards in the recitals where they may be completely ineffective and as a result creates legal uncertainty which may be very damaging for the software industry, especially the free and open source software community;

(ii) conclude that fixing the text is of strategic importance; and

(iii) suggest an approach – a shared set of high quality amendments with broad support could make the open source community’s case more compelling.