Brussels Tech Week 2024

08 Feb, 2024

EU Open Source Policy Summit, and FOSDEM report

On Feb 2nd and 3rd, Iván and I attended EU’s biggest Open Source event. FOSDEM is a leading free event in Brussels for open source software developers to meet, share ideas, and collaborate. Renowned for its volunteer-run, grassroots approach, it embodies the spirit of the FOSS community, offering a wide range of sessions on the latest trends and innovations in the field.

FOSDEM has also served as a key forum for discussions on EU regulations that could affect the open source community, facilitating meaningful dialogue between policymakers and developers.

Apart from the community, the new Cyber Resilience Act was one of the primary motivations for my attendance. This blog summarizes some top level learnings.

At the heart of the EU's legal arsenal are regulations, directives, and decisions, each with its unique impact on member states' laws. Regulations, like the CRA, are immediately enforceable across the EU, ensuring uniform application without the need for national legislation. Directives, conversely, set out objectives for member states to achieve, offering flexibility in how these goals are realized. Decisions target specific entities with binding legal force.

Cyber Resilience Act (CRA)

The CRA is a regulation proposed by the European Commission to strengthen cybersecurity across digital products and services. It aims to establish uniform cybersecurity standards for products with digital elements, enhancing consumer and business protection. The CRA's broad scope covers a wide range of digital goods and services, imposing responsibilities on economic operators to ensure compliance with these new cybersecurity norms.

Scope and Exclusions of the CRA

The CRA's comprehensive scope includes hardware products, software products, and remote data processing solutions, making it applicable to a vast array of digital offerings in the EU market. However, it explicitly excludes non-commercial products, standalone Software as a Service (SaaS), and sectors already covered by specific EU legislation, such as cars and medical devices. This distinction helps clarify the regulatory landscape for stakeholders.

Conformity Assessment and Its Implications

A critical component of the CRA is the conformity assessment process, which varies according to the cybersecurity risk associated with a product. Products presenting standard risks can undergo self-assessment, while those integral to network and information security may require third-party evaluation. Significantly, the CRA provides a pathway for Free and Open Source Software (FOSS) to undergo self-assessment, recognizing the unique model of open-source development and its inherent transparency and community-driven security enhancements.

The Product Liability Directive (PLD)

Parallel to the CRA, the PLD is undergoing updates to address the challenges posed by digital technologies and services. The PLD's modernization aims to ensure that consumers are adequately protected from damages caused by defective products, extending its applicability to digital content and services. This update reflects the evolving nature of products and the importance of keeping consumer protection measures in step with technological advancements.

Implications for Open Source Software (OSS)

The CRA and the updated PLD have significant implications for the OSS community. The CRA's approach to conformity assessment acknowledges the strengths of the OSS model, while the PLD's updates ensure that liability considerations keep pace with the digital age. These legislative developments underscore the EU's commitment to fostering a secure and resilient digital environment, balancing regulatory oversight with the dynamism of open-source innovation.

Transition and Impact

The CRA is expected to be finalized soon (by July), with a transition period of 3 years to allow stakeholders to adjust to the new requirements. This period is a critical time for businesses, developers, and policymakers to align their practices with the forthcoming standards, ensuring that the digital market remains both innovative and secure.

If you want to learn more, here are some additional resources:

• Benjamin Bögel (European Commission, responsible for the CRA’s implementation) rat FOSDEM's main stage to give a 10-minute explainer of how CRA affects FOSS. I recommend watching it.

• Bert Hubert’s “EU CRA: What does it mean for open source?” article

• Mike Milinkovich in Eclipse's "From Concerns to Solutions: An Update on the Cyber Resilience Act" webinar

What does this mean for Venture Fund companies

While the exact changes are not yet implemented – or even if we don’t have any direct involvement in EU (given our focus area in UNICEF Program countries), I recommend a small subgroup appointed to plan and implement changes in resources/workplan to ensure proper security and insight into the topic.