[OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

Even Rouault even.rouault at spatialys.com
Fri Jul 21 16:38:33 PDT 2023 

Hi Adam,

I'm not sure if we can come up with a completely novel analysis of the 
Act compared to what other foundations have already been done, but 
looking around the various resources and analysis, this is very 
worrisome if the text would pass in its current form (especially the one 
of the EU Parliament. Apparently the version of the EU Council would be 
better for open source). The open source exemption is really just for 
"hobby open source" projects.

Most OSGeo projects would be in scope:

- because of what they do: "This Regulation applies to products with 
digital elementswhoseintended orreasonably foreseeable use includes a 
direct or indirectlogical or physicaldata connectionto a device or 
network.".

- due to how they are developed: projects who receive contributions from 
sponsored/corporate contributors, are in scope since those are 
considered as commercial activities.

Like all legalese, fully understanding the implications is hard, but my 
understanding is that for OSGeo projects, OSGeo could potentially be 
considered as the ‘manufacturer’ for its graduated projects ("means any 
natural or legal person who develops or manufactures products with 
digital elementsor has products with digital elementsdesigned, developed 
or manufactured, and markets them under his or her name or trademark, 
whether for payment or free of charge;") and be subject to the various 
obligations of the text

- CE Marking (the analysis of the Eclipse Foundation goes to "all open 
source foundations should be responsible for CE Mark conformance: cf 
https://youtu.be/AmsM5_5QO5A?t=1577)

- active look up of vulnerabilities and associated obligations of 
declaring them to ENISA (the EU body that will be in charge of that),

- making sure to not deliver products with exploitable vulnerabilities 
(nice idea, but when combining lots of software, definitely an effort to 
put)

- specific documentation obligations

- constraints in the design

-etc etc..

Or perhaps the manufacturer could be each sponsored/corporate 
contributor, in particular the ones that would qualify as main 
contributors ?

The real novel aspect of the text is that it places tons of obligations 
to open source software (whose license mention it is delivered "as it", 
and which is generally distributed free of charge) that would fall in 
the scope of the regulation, for which neither the way projects/their 
supporting organization operate or their economics is prepared.

Perhaps a minimum form of support from OSGeo could be to add its 
signature to public positions already taken by well known open source 
foundations such as Mozilla, Apache, Eclipse, etc

github publised amendments for the text 
(https://github.blog/wp-content/uploads/2023/03/GitHub_Position_Paper-Cyber_Resilience_Act.pdf) 
that try to reduce the scope of open source projects to only those who 
are provided as paid or monetized products (the usual definition of 
commercial activity after all!), which also seem worth supporting.

Even


Le 21/07/2023 à 23:20, Adam Steer via Discuss a écrit :
> Hi OSGeo
>
> The European Union's proposed Cyber Resilience Act has just come to 
> the attention of many non-EU folks as a potential dampener on open 
> source geospatial software development and usage. A summary from 
> GitHub is here (thanks Marco Bernasocchi for pointing it out):
>
> https://github.blog/2023-07-12-no-cyber-resilience-without-open-source-sustainability/
>
>  It's being discussed in the OSGeo board, and some responses from 
> other open source organisations have already been made, for example: 
> https://newsroom.eclipse.org/news/announcements/open-letter-european-commission-cyber-resilience-act
>
> It would be great to hear your thoughts on the impact of the proposed 
> legislation on open source geospatial software development across the 
> globe  - so we can form an appropriate community response as soon as 
> possible. What are your thoughts?
>
> Yes, we're late in gettung our attention on to this. Hopefully not too 
> late.
>
> Thanks,
>
> Adam
>
> --
> Dr. Adam Steer
> OSGeo director
>
>
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/discuss

-- 
http://www.spatialys.com
My software is free, but my time generally not.

More information about the Discuss mailing list