Hi everyone, Last month the Cyber-Resilience Act (“CRA”) passed a major milestone, with a common text being agreed upon between the European Commission, Council and Parliament at the end of the Trilogue negotiations. The text, which was until now only available as selected leaks, was formally published on December 20 within this communication to the Parliament: https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf The intent and spirit of the text remains very much the same: applying CE marking and basic product security principles to software. As such, it is going to affect all organizations providing software products on the European market, whether they leverage open source software or not. That said, it’s clear in this version of the text that the engagement of a lot of open source advocacy groups (including OpenInfra Foundation) has led to multiple clarifications. Those clarifications reduce the disconnect between the text and the openly-developed open source model, and reduce the risk of global chilling effects around open source development participation. In particular: - The funding of essential project support functions, without the intention to make a profit, does not constitute “commercial activity” and therefore is not within the scope of this regulation (see recital 10 on page 10 and recital 10c on page 12) - There is now a clear distinction between the development and the supply phases, with the regulation clearly triggering at the supply phase (when the software is put on the market in the course of a commercial activity) (recital 10c, page 12) - Foundations should be considered “open-source software stewards” (as defined in Article 3 point (18a), page 76), and should be subject to a light-touch and tailor-made regulatory regime (recital 10d, page 13), exempted from penalties (article 53(10a), page 159) The proposed text is likely to be adopted as-is by the Parliament (see cover letter on page 2), so now is a good time to get more familiar with its details. Even if the text is adopted as-is, there is a lot more to come in the future as this regulation will need practical implementation guidelines. We’ll continue to watch that space and keep you informed of future developments – I’ll be representing the OpenInfra Foundation in conversations on this topic at the EU Open Source Policy Summit and FOSDEM events in Brussels in a few weeks. We also plan to continue policy news briefings during board meetings in 2024, like DLA Piper did in Vancouver last year. Regards, Thierry Carrez General Manager, OpenInfra Foundation