[OSGeo-Discuss] EU Cyber Resilience Act - potential impacts on open geospatial software?

Luí­s Moreira de Sousa luis.de.sousa at protonmail.ch
Fri Jul 28 00:29:24 PDT 2023 

Dear all,

here I offer yet another perspective on the Cyber Resilience Act (CRA), whose
full impact remains poorly understood in our community (not the least by me).

My general impression from the draft legislation is it being written by folk
that are either unfamiliar with, or do not understand, software development. The
CRA treats software as a finished product that comes out of an assembly line,
like a car, or from a food processing plant, like a package of tomatoes. The
emergent nature of software (systems) development is blatantly ignored. An
understanding of software as an organic entity, constantly evolving and adapting
is simply not present. As such, this legislation is inevitably bound to go wrong
at some point. 

The main objective of the CRA is to define a set of obligations, liabilities and
penalties for software "manufacturers". The concept of manufacturer is well
defined in clause 18 of Article 3: anyone that designs, develops, maintains or
owns software. Essentially, this legislation makes everyone in this community
liable, including the Foundation itself. It is capital to understand this.

Software "manufacturers" thus become liable for certifying that software comply
with a myriad of security and privacy requirements. These requirements apply to
any software made available to the EU market, either against payment of for
free.  This is were things are pretty much open for interpretation. In our
community the concept of "market" simply does not exist as such, software is
shared and co-developed. Services are marketed, for sure, but in general not the
software itself. If I push a repository with some research programme to Codeberg
does it become a "marketed" product in the EU? 

Some other observations:

- The certification requirements appear densely bureaucratic and expensive to
  comply with.

- Software must be re-certified for every (major?) release.

- Certification cannot be waved with a Licence. Consider also that many open
  source licences out there are not legally valid in the EU (hence the EUPL) [0].

- Software not compliant with the CRA can only be available to the "market" for
  a limited period of time (unspecified).

In a worst case scenario, in which any software publicly available in a code
forge is regarded as available to the EU market, I see FOSS4G facing three main
scenarios:

1. Large user base projects, e.g. GeoTools, Proj, GDAL, QGis. Eventually these
   projects will muster the resources to achieve compliance (and set the
   mechanisms for recurrent certification). However, considering the
   bureaucracy involved, and the requirement for compliance of upstream
   dependencies, certification can easily take years to complete.

2. Middle ground projects, i.e. in which the code base is not oversized vis-à-vis
   the user/developer community (pygeoapi is a good example). I expect
   the most challenging in these cases to be the certification of upstream
   dependencies. If a core dependency fails to comply with the CRA in a timely
   manner the project must to be removed from the market. Many of the
   companies currently providing services around this type of software will either
   fold or move on to other software that may achieve certification earlier.

3. Projects with low committer-to-code ratio, mostly stable, legacy projects,
   maintained by a small community. The best example is GRASS, but projects like
   MapServer might also fall in this category. I simply do not see how such
   projects can ever reach compliance. How will it ever be possible to certify the
   hundreds of modules in GRASS? Including all upstream dependencies?   

The current CRA draft has over 40 000 words, for sure I do not grasp it all and
certainly misinterpreted something. However, there are two main points for this
community to take stock: (i) the CRA has the potential to profoundly impact the
collaborative and legal processes we have been heretofore used to. This includes
folk outside Europe, as they must at least consider if/how to make software
available here. (ii) uncertainty remains large, especially around the meaning of
making software available to the EU market. 

At this stage, more than lobbying, the Foundation can have an important role
in seeking and diffusing useful and concrete information on the CRA. Hopefully
the CRA can take a central role in next year's conference in Tartu.

I hope this was helpful. Best.

Luís 

P.S.: On a more personal perspective, looks like the CRA largely breaks the Open
Science paradigm the EU has been pushing for almost a decade. Left wondering how
EU institutions can yield such antagonist views on software development. 

[0] In Europe the concept of "public domain" does not exist legally as in the
US, for instance.

More information about the Discuss mailing list