The Cyber Resilience Act (CRA), which was first presented in September 2022, has already created a stir in the European cybersecurity landscape. This legislation mandates the implementation of IT security measures over the entire life cycle of digital products and applies to manufacturers, importers, and distributors alike. However, while the CRA is a step in the right direction, it has some weaknesses that must be corrected before it is passed into law.
One significant area of concern is the treatment of open source components, which are widely used in commercial devices and software. Non-profit organizations, such as the Python Software Foundation (PSF), have raised concerns about the potential liability issues that could arise due to the CRA’s extended scope of application without exemptions for public and non-profit open source repositories. The PSF, for example, is a non-profit organization dedicated to promoting, protecting, and enhancing the Python programming language, which is freely available to all users.
The PSF fears that the CRA could lead to significant liability problems, to the point where it could be legally liable for any product that contains Python code, without making any sales or profit from those products. If this happens, the PSF would no longer be able to make Python and PyPI available to European companies and programmers, with severe consequences for European technology and cybersecurity. This problem affects not only Python but all publicly accessible open source repositories.
Commercial companies that use open source software in their products are already potential recipients of liability for damages caused by defective software, irrespective of this ongoing debate. Therefore, the European legislator must include exemptions for public and non-profit open source repositories to prevent the CRA from damaging the European open source community.
