Thank you for the update!

This is all good to hear. Do you have any feeling for when practical implementation guidelines will be available? At a glance, it looks like some aspects enter into force at some period of months after the overall act is adopted, I suspect it might be useful to note any such important dates or milestones during future updates.

Thanks again!

-Julia

On Thu, Jan 4, 2024 at 8:08 AM Thierry Carrez <thierry@openinfra.dev> wrote:
Hi everyone,

Last month the Cyber-Resilience Act (“CRA”) passed a major milestone,
with a common text being agreed upon between the European Commission,
Council and Parliament at the end of the Trilogue negotiations.

The text, which was until now only available as selected leaks, was
formally published on December 20 within this communication to the
Parliament:

https://data.consilium.europa.eu/doc/document/ST-17000-2023-INIT/EN/pdf

The intent and spirit of the text remains very much the same: applying
CE marking and basic product security principles to software. As such,
it is going to affect all organizations providing software products on
the European market, whether they leverage open source software or not.

That said, it’s clear in this version of the text that the engagement of
a lot of open source advocacy groups (including OpenInfra Foundation)
has led to multiple clarifications. Those clarifications reduce the
disconnect between the text and the openly-developed open source model,
and reduce the risk of global chilling effects around open source
development participation. In particular:

- The funding of essential project support functions, without the
intention to make a profit, does not constitute “commercial activity”
and therefore is not within the scope of this regulation (see recital 10
on page 10 and recital 10c on page 12)

- There is now a clear distinction between the development and the
supply phases, with the regulation clearly triggering at the supply
phase (when the software is put on the market in the course of a
commercial activity) (recital 10c, page 12)

- Foundations should be considered “open-source software stewards” (as
defined in Article 3 point (18a), page 76), and should be subject to a
light-touch and tailor-made regulatory regime (recital 10d, page 13),
exempted from penalties (article 53(10a), page 159)

The proposed text is likely to be adopted as-is by the Parliament (see
cover letter on page 2), so now is a good time to get more familiar with
its details. Even if the text is adopted as-is, there is a lot more to
come in the future as this regulation will need practical implementation
guidelines.

We’ll continue to watch that space and keep you informed of future
developments – I’ll be representing the OpenInfra Foundation in
conversations on this topic at the EU Open Source Policy Summit and
FOSDEM events in Brussels in a few weeks. We also plan to continue
policy news briefings during board meetings in 2024, like DLA Piper did
in Vancouver last year.

Regards,

Thierry Carrez
General Manager, OpenInfra Foundation
_______________________________________________
Foundation-board mailing list -- foundation-board@lists.openinfra.dev
To unsubscribe send an email to foundation-board-leave@lists.openinfra.dev