Thank you for the update.

Do you know where one could find the current draft text which was voted upon? The press release and linked resources don't seem to point to a specific draft text.

Thanks,

-Julia

On Thu, Jul 20, 2023 at 8:15 AM Thierry Carrez <thierry@openstack.org> wrote:
Greetings Directors,

At our in-person board meeting in Vancouver last month, our lawyers at
DLA Piper presented a landscape of regulatory threats and challenges
that could affect open source in the near future. One of those
challenges was the Cyber-Resiliency Act, a proposed legislation in the
EU that aims at introducing safety best practices in digital products.

Unfortunately, the initial text proposed by the EU Commission was
drafted without much input from the open source community, and failed to
take into account the specificity of our development model, potentially
resulting in a chilling effect for developers and organizations
involved, or the fragmentation of our global communities. We
participated in the community response by posting our position[1],
aligned with our partner organizations in the open source world. The
next steps were to wait for the new versions of the proposed legislation
as the EU Parliament committees worked on their own version, to see if
they included any further provisions to protect open source or not.

[1] https://openinfra.dev/blog/openinfra-foundation-cyber-resilience-act

The Parliament version of the text was recently presented, ahead of the
ITRE (Industry, Research and Energy) committee vote on the draft. I
personally reached out to ITRE committee members asking to delay the
vote, but the committee nevertheless approved it on a vote[2] *yesterday
morning*.

[2]
https://www.europarl.europa.eu/news/en/press-room/20230717IPR03029/cyber-resilience-act-meps-back-plan-to-boost-digital-products-security

The new version of the text now contains further precision to exclude
from its scope open source software developed using a “fully
decentralised development model”, which matches the principles under
which OpenInfra software is being developed (the Four Opens). However,
this provision is superseded by other provisions squarely placing any
project with developers employed by commercial entities within the scope
of the act, which basically covers nearly all of open source software
produced today.

The text also contains no improvement on the process itself, for example
still requiring that vulnerabilities be disclosed to ENISA within hours
of discovery, even if no patch has been developed to fix them. This is
orthogonal to vulnerability management best practices (like limiting
access to unpatched vulnerabilities to the key people able to fix them,
or responsible disclosure), while making the ENISA database a single
high-value target for hackers in search of unpatched vulnerabilities.

Adoption by the ITRE committee does not mean the fight is over, or the
text final and approved. Now that it’s gone through the three committees
involved (LIBE, IMCO, and ITRE), the text becomes a proposal to be voted
on by the full Parliament. It is unclear at this stage if there will be
a specific discussion and a free vote on it, it will depend how
consensual or controversial it appears to be. In parallel, the EU
Council (representing national governments) will prepare its own version
of the text, and in the end all proposed acts will be reconciled into a
single version that will become law.

At the OpenInfra Foundation level we will follow next steps with
attention, and participate in any industry initiative to improve this
text to take into account the specificities of our global, collaborative
value creation model. More specifically, we collaborate with the Open
Source Initiative, Open Forum Europe, Linux Foundation and others to
coordinate and support industry response. We will keep you updated on
future developments.

Regards,

--
Thierry Carrez
General Manager, OpenInfra Foundation
Director, OpenInfra Europe

_______________________________________________
Foundation-board mailing list
Foundation-board@lists.openinfra.dev