Letter from the Vrijschrift Foundation to the Dutch Parliament’s First and Second Chambers about the EU Cyber Resilience Act proposal. (original Dutch version)
to: : Chairman of the Parliament Second Chamber Committee for Digital Affairs,
Chairman of the Parliament First Chamber committee for Justice and Security
from: Vrijschrift Foundation
concerns: EU Cyber Resilience Act will harm competitiveness
Dear Mr Valstar,
Dear Mr. Dittrich,
The EU Cyber Resilience Act (CRA) proposal aims to make products containing software and software itself more secure. [1] This objective is endorsed by Vrijschrift. The Minister of Economic Affairs and Climate has written to the Senate that concerns regarding open source software have been “extensively addressed” by means of a recital. However, recitals do not have independent legal force; the amendments of the Council of the EU are ineffective. The CRA, if adopted in this form, will seriously harm the open source ecosystem and the competitiveness of the European economy. We will explain this below.
Open source software plays a major role in the software world, in the European economy, both for large companies and for SMEs, which are of crucial importance for the EU. [2] The German Automotive Industry Association explained in a brief position paper the importance of free and open source software for standardization, cost efficiency, flexibility and collaboration. A quote:
“The efficient cooperation in the German automotive industry using [free and open source software] is crucial to its competitiveness.” [3]
Modern Dutch software companies often rely entirely on open source. DigitalEurope, representing 45,000 companies operating and investing in Europe, including 102 companies that are world leaders in their field, writes in a statement with extensive recommendations:
“For the CRA to meet its objectives, the final text must include measures that make compliance clear and actionable, rather than generate new uncertainties that would disrupt Europe’s ability to innovate and compete globally.” [4]
The European Commission’s proposal has not taken sufficient account of the unique properties of open source software. Unlike closed source software, which is developed by one party behind closed doors, open source software is developed publicly by individual developers, non-profit organizations, and corporations – a vulnerable ecosystem. It is crucial to include within the scope of the CRA only the separate process of commercially marketing open source software.
With regard to the exception of open source software, the European Commission has included only a limited recital in the Recitals section of the proposal. However, a recital has no independent legal value and can only play a role in the interpretation if there is also an article to interpret. [5] There is no such article with regard to the scope of the CRA.
Co-legislator Council of the EU added amendments to the Recitals in its version without adding an article regarding scope. The Council’s amendments therefore remain ineffective with regard to scope. The Minister of Economic Affairs and Climate confirms in a letter to the First Chamber that this is only a recital. The minister fails to mention that recitals do not have independent legal value and that the concerns have therefore not been “extensively addressed” at all. [6] Painful, especially because our competitiveness is at stake.
The ITRE committee of the European Parliament has added an important article in its version regarding the scope. The ITRE committee has added further necessary exceptions and definitions with regard to the scope only as too limited and sometimes counterproductive recitals. This co-legislator’s version also creates a lot of legal uncertainty, which is harmful to a vulnerable ecosystem. [7]
The co-legislators have decided on an accelerated legislative procedure (trilogues), which seems unwise given the state of the proposals. Unlike in The Hague, no or hardly any legislative experts are involved in making laws in Brussels, which is taking its toll here. Without improvements, the Cyber Resilience Act will seriously harm the vulnerable open source software ecosystem and therefore our competitiveness, without making software more secure. [8]
We would like to ask you to encourage that the proposal is improved in consultation with open source software organizations. [9] It should be borne in mind that only articles have independent legal value.
Yours faithfully,
on behalf of the Vrijschrift Foundation,
Ante Wessels
[1] Voorstel voor een Verordening betreffende horizontale cyberbeveiligingsvereisten voor producten met digitale elementen en tot wijziging van Verordening (EU) 2019/1020
[2] It has been estimated that Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions. Venturebeat: “Today, open-source software underpins almost everything: A whopping 97% of applications leverage open-source code, and 90% of companies are applying or using it in some way. GitHub alone had 413 million open-source software (OSS) contributions in 2022.”
https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on
https://venturebeat.com/programming-development/github-releases-open-source-report-octoverse-2022-says-97-of-apps-use-oss/
[3] Verband der Automobilindustrie, Brief Position On the Cyber Resilience Act (CRA) in relation to free and open source software (FOSS)
https://www.vda.de/dam/jcr:888e90b1-84dc-4660-a266-f246a141112f/VDA%20Brief%20position%20FOSS_EN.pdf?mode=view
[4] https://cdn.digitaleurope.org/uploads/2023/09/DIGITALEUROPE_Building-a-strong-foundation-for-the-CRA_key-considerations-for-trilogues.pdf
[5] European Court of Justice: “the preamble to a Community act has no binding legal force and cannot be relied on as a ground for derogating from the actual provisions of the act in question”. Case C-162/97, Nilsson, [1998] ECR I-7477, para. 54
https://curia.europa.eu/juris/showPdf.jsf;jsessionid=8B36507C88BE3799CED74D078109453A?text=&docid=44220&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=2409883
Zie ook: https://www.vrijschrift.org/serendipity/index.php?/archives/259-Cyber-Resilience-Act-may-seriously-harm-free-and-open-source-software.html
[6] Letter to the Dutch Parliament First Chamber, June 19, 2023,
https://zoek.officielebekendmakingen.nl/kst-36239-F.html
[7] DigitalEurope points out that open source software is often commercial, and that to protect the vulnerable ecosystem, a distinction must be made between “upstream development” and “downstream use”; pages 4 and 5, see link above
[8] The Linux Foundation, Open Source and the CRA: It Will Not Work
https://www.linuxfoundation.org/blog/open-source-and-the-cra-will-not-work
[9] Already mentioned above: DigitalEurope; See also: Eclipse, others: The CRA should support open practices of open source and the development of European Open source to the advantage of small and medium size entreprises (SMEs)
https://newsroom.eclipse.org/news/announcements/cra-should-support-open-practices-open-source-and-development-european-open ;
Simon Phipps, Diverse Open Source uses highlight need for precision in Cyber Resilience Act
https://blog.opensource.org/diverse-open-source-uses-highlight-need-for-precision-in-cyber-resilience-act/