Risks of the Cyber Resilience Act: ""Free software is a source of sovereignty" (Philippe Latombe)

Pxhere image / public domain

For months, there have been successive alerts about the Cyber Resilience Act in preparation: presented by the European Commission in 2022, it must impose cybersecurity obligations for digital products and services in the European Union. But it risks causing more than collateral damage to free software.

“Applying to the right place in the free software value chain”

Interviewed in July by the WebTV “The Stock Exchange and Life”, the deputy (MoDem) Philippe Latombe – author in 2021 of the report “Digital sovereignty” – answered there to the financial journalist Didier Testot (transcription in Free to read):

“That [le CRA] has side effects, on the other hand, for free software and I discuss it a lot with French free software companies. Let’s see how we can make the CRA apply, but apply at the right place in the free software value chain, that is to say not necessarily to intellectual creation, so where the contributors make code, but rather, if there are ever publishers, it would rather be the publishers who would be subject to the CRA. It would be much more logical and it would make it possible to preserve the free software sector and its wealth because, without free software, we will have a loss of sovereignty.

I am intimately convinced that sovereignty is linked to free software, to the capacity for innovation, to this ability of several people to join forces to discuss the same subject in order to be able to make the best possible code. Free software is a source of sovereignty because it also makes it possible to find alternatives to software from publishers who would be the majority that if we never have more, it would allow companies to continue to operate. We will look with the companies, we will look with the government which is open on the subject, how we can influence the CRA to make it as effective as possible.”

“In Europe, they are essentially employees”, not volunteers

On August 29, in the show “Smart Tech” of the B-Smart podcast, the journalist Delphine Sabattier received Jean-Paul Smets, CEO of RapidSpace (transcript in Free to read –heart on this April group, once again, for this super-useful work!), as well as two heads of digital companies. Jean-Paul Smets emphasizes that for connected objects, whose software is often not updated, the CRA will be very useful, but he returns to the impact for open source:

“They [la Commission européenne] have a kind of blue flower idea by saying that free software is necessarily communities of volunteers. In fact, in Europe, free software is essentially employees in SMEs and sometimes in research institutes. The text of the Commission has put an exception to the 15 million euros fine for volunteer communities. But all business software has, at one time or another, an employee who contributes and, in some versions of the text, having an employee means that the software can be considered commercial free software, so it means that practically all free software will suffer the risks of CRA.”

“By setting up this kind of developer/payer idea, the problem is that we are imposing the same constraints on a company like Microsoft, a software publishing giant, and on an SME like Signal18 by Stéphane Varoqui, while they do not have the same means at all. So we will simply filter the offer by making sure that the big publishers, who have the means to create a team dedicated to regulation, will do and the small ones will not be able to take over the responsibility that is imposed on them.”

The whole show is to be listened to (or read), the other two speakers, Stéphane Varoqui, CEO of Signal18 and former MariaDB, and Arthur Heymans, project manager at 9elements, illustrating in a precise way their operation and the consequences of an unrestrained accountability of developers.

“We don’t necessarily get the compensation from the people who distribute them”

Thus Stéphane Varoqui:

“Open source has become much more democratized, few large companies do not use open source products and, suddenly, they have become accustomed to not paying. We are really, the open source, the adjustment variable. Now open source products are sold in the cloud and we developers do not necessarily receive compensation from the people who distribute them. For example, when Google distributes a product in SaaS as a Software mode, like MariaDB… We don’t get any rights to it, we don’t get any money. We are the ones who take charge of the development and they are the ones who benefit financially since they rent their equipment with the product running. So, the only way for open source publishers to get out of it is to go to the cloud, to become a cloud, a competitive cloud, that’s what MariaDB did when I left it.”

Last but not least, the CNLL (representing more than 200 open source companies), which has already alerted several times, published on September 7th “France must protect its free software sector from the side effects of the Cyber Resilience Act (CRA)”, which summarizes its detailed study published the day before.

In the latter, the organization writes:

“The CNLL is deeply concerned about the risks, exposed below, that a final drafting of the CRA would constitute inappropriate given the reality of the economic and development models of the open source sector, and asks the French government to weigh in on the final negotiations in order to protect its national free software sector, which represents nearly 6 billion euros in annual turnover and 64,000 direct jobs in 2023.”

The free and open source organizations in Europe are united in these warnings. The CNLL specifies:

“This position paper on the CRA was developed by the CNLL on the basis of our discussions with many organizations in the open source ecosystem, and in particular our European partners gathered within the APELL (European Free Software Professional Association) which represents the European free software sector in Brussels. In particular, we have used the document Stellungnahme zum Cyber Resilience Act of the OSBA, our German counterpart, as a starting point for this text.”