✨ OFE is hiring! Join the OFE team as a Policy Advisor. More information in our news section.



EU Cyber Resilience Act Takes a Leap Forward

04 December 2023

Author: Astor Nummelin Carlberg


For immediate release: 4/12/2023

EU Cyber Resilience Act Takes a Leap Forward: 

Further Clarifying Responsibilities for FOSS Next Step

Major improvements with regard to the scope of applying the EU Cyber Resilience Act (CRA) to free and open source software were made by the co-legislators when agreeing on the final text. The 2022 proposal raised concerns that “commercial” would be interpreted broadly and then all acts of publishing and sharing software and source code would trigger legal questions, obligations and the risk of fines. However, the Commission, Parliament and Council have now agreed to a crucial clarification that “the provision of free and open-source software products with digital elements that are not monetised by their manufacturers is not considered a commercial activity”.

This is in addition to the clarification that “The mere circumstances under which the product has been developed, or how the development has been financed should therefore not be taken into account when determining the commercial or non-commercial nature of [making free and open-source software available on the market].” This wording will give clarity to a lot of contributors, both commercial and non-commercial, and will prevent the obligations from extending to certain areas where they could be counterproductive.

While we welcome these improvements, it’s important to recognise that the CRA still presents a regulatory challenge for businesses involved in monetising software. For the vitality of the free and open source software ecosystem, and the robustness of the European IT infrastructure that heavily relies on open source, it’s essential that these businesses remain sustainable. Moreover, for the EU’s cybersecurity and digital sovereignty, keeping development within the EU is crucial.

In the coming months and years, efforts are needed to further clarify the CRA’s obligations and to establish efficient, cooperative processes. These will ensure ease of compliance while maintaining the right to modify, share, and commercialise the software.

With the legislative phase drawing to a close, attention now turns to the development of implementation standards as required by the regulation. Concurrently, discussions will commence in the business community to facilitate a smoother compliance process.

OpenForum Europe would like to express its appreciation to the officials and staff of the European Parliament, the Council, and the Commission for their engagement in discussions with representatives of the free and open source software community. We also acknowledge the hard work of the free and open source software stakeholder representatives, whose collective efforts have been vital in reaching this outcome.

For further information please contact:

Ciarán O’Riordan, Senior Policy Advisor
ciaran@openforumeurope.org and CC euteam@openforumeurope.org