CARVIEW

MOTORHOMES

Select Language

HTTP/2 301 server: nginx date: Fri, 26 Dec 2025 02:55:53 GMT content-type: text/html; charset=UTF-8 location: https://opensource.net/open-source-cra-challenge/ strict-transport-security: max-age=31536000 host-header: wpcloud set-cookie: PHPSESSID=1c31ce12cca2abd03eea484fe5498735; path=/ expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache vary: accept, content-type, cookie x-pingback: https://opensource.net/xmlrpc.php x-redirect-by: WordPress x-ac: 1.bom _atomic_dca MISS alt-svc: h3=":443"; ma=86400 server-timing: a8c-cdn, dc;desc=bom, cache;desc=MISS;dur=675.0 HTTP/2 200 server: nginx date: Fri, 26 Dec 2025 02:55:54 GMT content-type: text/html; charset=UTF-8 strict-transport-security: max-age=31536000 vary: Accept-Encoding host-header: wpcloud expires: Thu, 19 Nov 1981 08:52:00 GMT cache-control: no-store, no-cache, must-revalidate pragma: no-cache vary: accept, content-type, cookie x-pingback: https://opensource.net/xmlrpc.php link: ; rel="https://api.w.org/" link: ; rel="alternate"; title="JSON"; type="application/json" link: ; rel=shortlink content-encoding: gzip x-ac: 3.bom _atomic_dca MISS alt-svc: h3=":443"; ma=86400 server-timing: a8c-cdn, dc;desc=bom, cache;desc=MISS;dur=894.0 Open Source in Europe: Facing the regulatory challenge - OpenSource.net

Open Source in Europe: Facing the regulatory challenge

Posted byby Stefane Fermigier
July 23, 2024

The Cyber Resilience Act (CRA) in Europe will mandate stringent security standards for all digital products.…

Home » Blog » Open Source in Europe: Facing the regulatory challenge

The Cyber Resilience Act (CRA) in Europe will mandate stringent security standards for all digital products. While the Open Source community welcomes the focus on security, navigating the CRA‘s complexities presents an obvious challenge.

At the recent OW2Con, a panel of experts discussed the most important aspects of compliance and standardization. Diving into the CRA details were The Open Source Initiative’s Simon Phipps, Camille Moulin, Open Source Standards advocate, and, myself, Stéfane Fermigier, Open Source entrepreneur. Organized in a loose fishbowl format, audience members could take a seat on stage and bump a panelist out in rotation.

This image has an empty alt attribute; its file name is Screenshot-2024-07-03-at-20.51.25.jpg — From the session, left to right: Fermigier, Moulin and Phipps. Screenshot

Here’s an edited and condensed transcript from the session titled “Forthcoming Regulation of the European Software Industry” in June 2024 at OW2Con.

Simon Phipps: Let’s start the discussion on the forthcoming regulation of the European software industry. This topic was prompted by a piece of legislation called the Cyber Resilience Act (CRA), promulgated by the European Commission and Parliament this year, with developments starting in 2022.

Here’s how the session will work: First, Camille will provide a clear picture of the upcoming Cyber Resilience Act (CRA) legislation. Then, I’ll take you through the story of how the Open Source community became involved in the CRA discussions.

Finally, Stéfane will address the areas where the work with the European Commission is still ongoing and what needs to be completed…

Camille Moulin: For those who don’t know me, I’m not a lawyer, but I’ve been involved in the Open Source community for several years and realized the significant impact European regulations can have on our work. For instance, the General Data Protection Regulation (GDPR) introduced clear demands and the more recent Digital Markets Act introduced the concept of gatekeepers. This act allows us to revisit old issues like bundled sales of Open Source systems and hardware.

Open Source regulation offers great opportunities for free and Open Source software, but it also carries risks. The CRA is a prime example, as well as the upcoming Product Liability Directive. These regulations challenge the non-warranty and limitation of liability clauses in Open Source licenses, reducing their impact. Ignoring these regulations is not an option as they fundamentally affect Open Source.

It’s crucial for knowledgeable and sincerely interested individuals in Open Source to contribute to these regulations. The CRA saw real changes thanks to such contributions, highlighting the importance of genuine involvement. However, issues like open washing and undefined terms in regulations, such as the AI Act’s notion of Open Source artificial intelligence, present challenges. It’s essential to have sincere actors contributing to the regulations…

Stéfane Fermigier: Representing CNLL (the French National Federation of Open Source Businesses) and APELL (a European federation of national organizations representing Open Source businesses), I will discuss our efforts regarding the CRA over the last two years and our initiatives to support our community in dealing with this regulation.

We first heard about the CRA in late 2022 and were initially incredulous about its content. In December, a workshop organized by the Commission’s OSPO in Brussels discussed Open Source sustainability, but none of the CRA’s drafters attended. This disconnection within the Commission highlighted a significant issue: those knowledgeable about open source weren’t consulted by those regulating it.

Despite attempts to engage, including open letters and meeting requests, we had little success in communicating with the Commission. This taught us the importance of ensuring that specialists within government organizations collaborate on related topics.

At APELL, we aim to represent the Open Source business ecosystem in Europe and seek funding to establish a presence in Brussels. CNLL and other national organizations are setting up working groups to help companies navigate the CRA’s extensive regulations, estimated to increase development costs by 30%.

From The EU Commission Impact Assessment of the CRA .pdf 2, page 56.

Phipps: The CRA requires any product in Europe containing digital elements to be CE marked, ensuring it meets security and functionality standards and remains compliant throughout its lifecycle. European standards organizations like ETSI and CEN-CENELEC are tasked with creating harmonized standards for CRA compliance. However, these bodies lack Open Source expertise.

Eclipse is working on a program to help Open Source stewards and companies comply with upcoming standards. It’s crucial to engage and propose strong, relevant standards that reflect open-source realities. We need coordinated efforts to ensure open-source perspectives are represented in these standardization processes.

From left to right, Phipps, Moulin, Blondelle and Fukami. Screenshot.

Fukami: I’ve been involved in EU policy and cybersecurity for over two decades. I appreciate the Commission’s openness but believe our community still struggles to communicate effectively and engage at the right times. The CRA and its associated standards are just one part of a broader regulatory landscape that we need to address comprehensively.

Effective engagement requires organization and understanding of the regulatory environment. While the Open Source community has made progress, there’s still a need for improved coordination and strategy. Organizations like OSI and APELL play a crucial role, but we must ensure our efforts are coherent and impactful.

Gael Blondelle: I represent Eclipse and last year was busy for the open-source community due to the CRA. We’ve worked to create a less detrimental version of the CRA for our community. The regulation will take effect in a bit over three years, and in that time, standards will be developed. We’ve established connections to influence these standards positively.

Our open regulatory compliance working group aims to draft specifications that manage cybersecurity across the open-source supply chain, involving stewards, companies, and researchers. We hope to propose these to standardization bodies, ensuring open-source needs are considered in the final standards.

Pierre-Yves Gibello: Representing OW2, a foundation that might be considered a steward under the CRA, we are exploring ways to provide CRA-compliant stewardship services to our members without imposing significant costs or IP intrusions. If successful, this could offer a viable solution for SMEs, but we must wait for the final legislation to see if this is feasible.

Phipps: To continue this conversation, OSI has a discussion forum at discuss.opensource.org where you can engage further. Let’s continue working together to coordinate our efforts and ensure our community’s needs are met in these regulatory processes.

You can catch the whole 35-minute session YouTube.

Author

Stefane Fermigier

Open source developer and advocate since 1998, founder and CEO of Abilian, co-chairman of the CNLL, co-founder of APELL.

View all posts