You spoke, and we heard you: protecting open-source developers in the CRA and PLD
The Product Liability Directive and Cyber Resilience Act are two important EU laws that will impact how software is developed, but many in the open source community are worried about how these laws will affect them, and so am I; which is why I have proposed changes to protect the open source community and guarantee fair rules on liability and cybersecurity.
Two weeks ago, the Python Software Foundation published an article expressing concern about issues they had found in two upcoming EU laws: the Cyber Resilience Act (CRA), and the Product Liability Directive (PLD). Since the publication of that article I’ve heard from lots of people in the open-source community who share those concerns, and I agree!
As one of my political group‘s two representatives on the Product Liability Directive, I will be tabling proposals to fix the PLD, but I realised there are also issues in the Cyber Resilience Act that urgently needed to be addressed, which is why I decided to table proposals to fix the Cyber Resilience Act that mirror my proposals for the PLD.
Fair Liability and Compliance Rules for Open Source developers
Today, if they know it or not, open source plays an enormous role in the lives of European Citizens: it is on our phones, powers the services we use, the websites we visit (including this one!), and many of our digital devices. It can also be massively beneficial to businesses, saving them time and helping them build better products faster. But in recent years, some organisations and businesses have developed a sense of entitlement, perhaps forgetting that the people who made their products possible are working on open-source software in their free time. In addition to this we have seen that some projects absolutely essential to the operation and security of most devices and websites, like cURL and OpenSSL, are being developed by small teams of volunteers.
It would be unfair to hold them liable for the security of the entire internet, and, to be honest, it is unfair to hold any open-source developer liable for code that they provide to us all for free. I believe this, and (I think) that the European Commission, who drafted this law, also believe this. But Open Source developers need and deserve clarity, and the PLD and CRA are not clear enough.
My proposed changes make it clear: when a company uses open-source code, they are responsible for ensuring that code is secure. If they cannot do that, then they can always come to an agreement with the developer, or a third-party, to provide commercial support for that code, but by default it is their responsibility.
Ensuring Open Source repositories and projects stay online
As always in politics, there are some exceptions: for instance, when open-source software is provided as a service, but user data is collected for sale to advertisers, the operator of that service is liable. But there was also an exception that could have negatively impacted open source software and code repositories, which would could see them being held liable for code they host if they “provide(ing) a software platform through which the manufacturer monetises other services”.
The intention of this provision was likely to ensure Google could be held liable for Android, but unfortunately the vague wording could see it applied to open source repositories. We addressed this by adding a clear exemption for these repositories, and rewording the original exemption so it is clearer on who it applies to.
Where can I read these amendments, and what comes next?
You can read all our proposed amendments here, (the left column shows the original text, with the right column showing our proposed changes). These amendments are a first step, now MEPs from all political parties will come together to try to find compromises on the basis of all the amendments submitted, which is why we still need your help!
When it comes to the Cyber Resilience Act, I call on Open Source Organisations to reach out to the MEPs in charge of the proposal: Nicola Danti and Morten Løkkegaard, and ask them to support our proposals.
As for the Product Liability Directive? My team and I are still finalising our proposed changes, but the amendments will mirror the ones we have presented today. As one of the lead negotiators on the PLD, I’ll do everything I can to ensure they make it into the final law!
Thank you!
Finally, I wanted to say a big Thank you to all the Open Source community, not just for their feedback and assistance on making these laws better, but also for the enormous contribution to our everyday lives! I’m grateful for all you do! Please keep sharing your concerns: me and my team will do everything I can to address them!