LibreOffice criticizes EU Commission over proprietary XLSX formats
The Document Foundation criticizes the EU Commission for exclusively using Microsoft's XLSX format in the Cyber Resilience Act consultation.
(Image: heise medien)
The Document Foundation has called on the European Commission in an open letter not to rely solely on Microsoft's proprietary XLSX format in the ongoing consultation on the Cyber Resilience Act (CRA). The EU Commission had published a call for feedback on the CRA guidelines on March 3, 2026. Feedback can be submitted exclusively via an XLSX template until March 31, 2026.
The Foundation sees this as a contradiction to the EU's own interoperability goals. Although XLSX is standardized as OOXML according to ISO/IEC 29500, Microsoft's implementations often deviate from the specifications. Furthermore, features often change undocumented, which complicates compatibility with open-source software such as LibreOffice.
In its blog post published on March 5, 2026, The Document Foundation refers to several EU strategies that should actually promote open standards. These include the European Interoperability Framework (EIF), the EU Open-Source Software Strategy 2020–2023 and its successors, as well as the Cyber Resilience Act itself, which aims to reduce systemic risks from dependencies on non-transparent technologies.
Videos by heise
ODF demanded as an equivalent alternative
The Document Foundation specifically demands that the template be provided in Open Document Format (ODF) in addition to XLSX before the deadline of March 31, 2026. The .ods format is a completely vendor-neutral ISO standard. Ideally, a web-based form or a plain text format would also be provided to enable participation from all citizens, organizations, and institutions.
The exclusive use of XLSX creates a structural bias, the Foundation argues. Users of open-source software are disadvantaged because opening and editing the XLSX template in LibreOffice can lead to compatibility problems with advanced formatting or macros. Small organizations and authorities that use ODF-based workflows are also affected.
CRA comes into force step by step
The Cyber Resilience Act was published in the EU Official Journal on November 20, 2024, and entered into force on December 10, 2024. The main obligations will apply from December 11, 2027, and reporting obligations from September 11, 2026. The regulation governs the cybersecurity of products with digital elements and is aimed at manufacturers, importers, and distributors.
The Document Foundation calls on other FOSS foundations, projects, and advocates to sign the open letter. The EU Commission has not yet responded to the criticism. Technically, the requested extension of the template would be easily implementable.
Criticism of the use of proprietary formats by EU institutions is not new. Just recently, even the EU Parliament adopted a report calling on the EU Commission to implement reforms. The goal must be independence from US infrastructures and more domestic AI and open source. With its lack of format openness in the consultation, the EU Commission is contradicting the EU's goals of digital sovereignty anyway.
Further information and the open letter itself can be found in The Document Foundation's blog post.
(fo)
