2 min

The European open source world is concerned about the potential side effects of the European Cyber Resilience Act (CRA) bill. Enactment could hinder or even freeze the development of open source software.

Several European open source organizations are warning the European Commission (EC) in an open letter about the impact of the CRA bill on the industry. In its current form, the proposal is said to have a crippling effect on the development of open source solutions.

They also argue that the current proposal poses an economic and technological risk to the EU. With the criticism, the European open source world is trying to get more say.


According to the signatories, open source will be affected especially due to the large amount of open source that exists in currently used software. Developers may get too busy trying to comply with the new laws and regulations, so development lags behind.

Moreover, it is not clear what software is covered by the CRA. The bill seems to make an exception for open source software that is openly shared and freely accessible, usable, adaptable and redistributable. The proper (legal) definition of this specific open source software is not given, making it difficult to determine which open source software satisfies.

The provision of (paid) consulting services and technical support also complicates the definition.

CRA bill

The CRA should summarize the best cybersecurity measures for Internet-connected products into a comprehensive law. Hardware and software vendors should make their products as robust as possible and update them with the latest security updates.

Failure to do so will result in fines of up to 15 million euros or 2.5 percent of annual sales.

Also read: ‘Open-source coding at risk due to new EU legislation’