Open Source: Cyber Resilience Act Could Significantly Harm European Companies

Inhaltsverzeichnis

(Dieses Interview ist auch auf Deutsch verfügbar.)

The Eclipse Foundation's annual conference, EclipseCon, took place for the 17th time in Ludwigsburg this year and attracted over 400 visitors from 31 countries – many of whom have been loyal conference attendees from the very beginning. One of the topics discussed at the conference was the planned European law known as the Cyber Resilience Act (CRA), which is expected to come into effect next year and has caused a stir within the open source community.

At EclipseCon 2023, heise Developer spoke to the Executive Director of the Eclipse Foundation, Mike Milinkovich, who has been closely following the CRA and its potential impact on open source: How could the CRA change the open source landscape in Europe and how can affected organizations prepare for it?

Interview Guest Mike Milinkovich

Mike Milinkovich has been involved in the software industry for over thirty years, doing everything from software engineering, to product management to IP licensing. He has been the Executive Director of the Eclipse Foundation since 2004. In that role he is responsible for supporting both the Eclipse open-source community and its commercial ecosystem. Prior to joining Eclipse, Mike was a vice president in Oracle’s development group. Other stops along the way include WebGain, The Object People, IBM, Object Technology International (OTI), and Nortel.

Open Source Community Taken by Surprise

heise Developer: The Eclipse Foundation has been warning about the impact of the Cyber Resilience Act and published an open letter in collaboration with other open source organizations in April 2021. In this letter, the undersigned stated they were prepared to send a representative delegation to meet with members of the European Commission. Has a meeting taken place and do you believe the concerns of the open source community are being taken into account?

Mike Milinkovich: There has not been a meeting with any kind of official delegation or representative delegation of the open source foundations and the Commission. But there have been numerous discussions, formal and informal. So we do feel that our concerns are being listened to. I'm not entirely sure they are being understood, but they're being listened to.

Part of the problem is that we, as the open source community and the foundations that we represent, have historically done a poor job of explaining what we do and how we do it, and why we're important to policy makers and the economy. Ultimately, there are several things going on here. One is that everybody agrees that cyber security needs to be improved and that European consumers and businesses need to be protected. At the same time, Europe needs to ensure that it has an innovative economy and is protecting the future economic prosperity of all Europeans at the same time. These are trade-offs in some sense as there is no absolute right or wrong in either direction.

What is missing from the mental model of policymakers is the role that open source plays in innovation and economic prosperity. We are way behind in trying to explain to them why what we do is important, different, and unique, and why some of the options they are considering would be very harmful for the future prosperity of Europe—while failing to advance the protection of consumers.

That's the dilemma: We should have been explaining this to them years ago, and now it's all happening at once and we're scrambling to catch up.

heise Developer: So, would you say this all happened totally unexpected to the open source community?

Mike Milinkovich: To a certain degree, yes, it was unexpected. Ursula von der Leyen made a speech in 2021, that Europe was going to be working towards improving cyber security for European consumers, but even that original speech focused on improving the cybersecurity of IoT devices. Somewhere during the period of time between the speech, the start of the legislative agenda and the presentation of the draft by the European Commission to Parliament and the Council in September of 2022, the scope of the legislation changed from IoT devices to all software. And that's an enormous change.

I think it caught industry by surprise as well. Open source is part of the broader technology industry and the technology ecosystem. I want to make it clear, though, we don't feel like the legislators are coming after open source. The policy makers are devising ways to improve security for, originally, all IoT devices and apparently now all software. And open source is part of that.

If you changed the word "software" to "IoT devices" or "consumer electronic devices" in the CRA, we would not be having this conversation now, because the scope would be so much more refined and so many provisions in the CRA would be obviously applicable to devices, when talking about physical goods and how they're made. A lot of things would make more sense. It was the extension into pure software that was both surprising and expansionary.

Potentially Dramatic Consequences of the Cyber Resilience Act

heise Developer: If the CRA will go through in its current form, what do you believe the worst-case outcome may be for open source software in Europe and how likely is that to happen?

Mike Milinkovich: That question is actually more difficult to answer than you may think, because there are currently three versions of the Cyber Resilience Act: the original version from the European Commission, the version that was approved by the ITRE Committee in the European Parliament, and the third version from the Council of the European Union—and all three of those versions are significantly different.

If the version from the Council of the European Union was the one to be passed, we would be mostly okay regarding open source. There are a few things in there that are imperfect, but that would be fine.

If it was either of the versions that came out of the European Commission or the ITRE Committee, that would significantly harm the ability of European companies to compete going forward, because a lot of providers of open source would simply say it's far easier to state "you cannot use my code in Europe" than it would be to comply to the CRA requirements. That would be a terrible situation for Europe to put itself into.

Right now, the trilogue process is taking place: The two co-legislators—the European Parliament and the Council of the European Union under the current Spanish Presidency—are negotiating the final text with the help of the European Commission which drafted the initial text. That process has been ongoing for several weeks. It's behind closed doors, so unless there is an unauthorized leak, we won't know more until the final version is published, which will be probably sometime in late January or early February.

(Editorial note: Since the interview, the news portal Euractiv has gained information that points to a compromise on "how to regulate open source software and the definition of a support period throughout which manufacturers will guarantee security updates.")

Preparing for an Unknown Legal Situation

heise Developer: Which steps is the Eclipse Foundation currently taking in preparation of the Cyber Resilience Act?

Mike Milinkovich: We're not doing anything right now in preparation. We're thinking about things that we could do, but we are a small organization and it would be a waste of our resources to do a lot of work at this point, before we see the final text. There will be at least two years from the day that the CRA is published until the implementation has to be done. Some are asking for as much as four years. Our focus has been primarily around assembling people in the team that is ready to go into planning mode as soon as the final version is released.

But no matter what, the CRA will change how we at the Eclipse Foundation do open source in the future. In the best case scenario, the CRA will largely exclude open source from the compliance requirements—so we actually get what we asked for. Even in that case, every one of the companies that use our open source projects in commercial products will have the requirement in their world to be CRA compliant and put the CE mark on their products.

We have projects that are used by thousands of companies and thousands of products. It makes no sense for every single one of those companies to duplicate effort across every single product, but rather to do work with the Eclipse Foundation to get as much of that compliance work done as possible in the upstream open source projects.

heise Developer: Is that also what you suggest that other affected individuals and organizations do, to wait until it's clear what the final version will be?

Mike Milinkovich: I exaggerated when I said we're not doing anything, as we're starting to think about what shape the future steps could take. There are some things that you can start to think about now, to make your open source project run cyber secure.

Places like the Eclipse Foundation and the Apache Software Foundation have a significant advantage over some other open source organizations: We have well-defined community practices, well-defined policies and processes, so we can take measures that influence all of our projects. A project on GitHub doesn't have that shared community of practice that you get from working with an organization like the Eclipse Foundation.

Successful Move of the Eclipse Foundation

heise Developer: In January 2021, the Eclipse Foundation completed its move to European-based governance. The draft for the Cyber Resilience Act by the European Commission was published in September 2022. Do you believe if you had known about the CRA at the time of the move, might that have changed your decision to move to Europe?

Mike Milinkovich: No. We're very happy with our move to Europe. From our perspective, moving to Europe has been a huge success. We are the largest open source foundation in Europe and are attracting lots of projects and members because of that. We have a unique position in Europe as the home of digital sovereignty. The open source implementation work for all of the various European initiatives related to digital sovereignty, such as data spaces, Catena-X, Digital Twins, and Industry 4.0, is happening at the Eclipse Foundation. Obviously, we're thrilled about that.

Our discussion about regulation so far has been focusing on the European regulation in the CRA. But American policymakers are working on their own equivalents in parallel. Again, this is not about governments regulating open source. Governments are going to regulate the technology industry in ways that it has not been regulated up until now. And open source is part of that.

We're not the target, but we are part of a larger picture. And it's going to happen in a different way, but the United States are also on a path to changing the rules of the game for the technology industry in Europe, and that would have impacted us there, too.

I'm still cautiously optimistic that, even with the CRA, in the end reason will prevail and there will be legislation that both protects European consumers and protects the future economic prosperity of Europe.

heise Developer: Thank you for the interview!

Bild 1 von 4

EclipseCon 2023 (4 Bilder)

State of the Union

(mai)