Lost in Legislation: How the EU Missed the Mark with the Cyber Resilience Act

The recent passage of the Cyber Resilience Act (CRA) by European institutions has ignited a firestorm of debate, with the open source community and small and medium enterprises (SMEs) in the tech sector at the heart of the controversy. The fervor reached a peak during the FOSDEM conference last weekend in Brussels, where it became evident that the underlying issues leading to this legislative debacle have yet to be fully understood or addressed by those steering the legislative helm.

A review of the CRA's journey from proposal to enactment uncovers a litany of issues, signaling a profound misalignment between EU policymakers and the very constituencies poised to bear the brunt of the legislation.

This post seeks to unearth the missteps and oversights that marred the CRA's development, highlighting a legislative process marked by deficiency and disconnect. We also make recommendations for future initiatives to ensure that forthcoming legislations fully account for the complexities and contributions of the open source community and align with broader EU digital strategies.

A Premature Proposal and Its Expanding Scope

Initially, the CRA appeared to focus solely on Internet of Things (IoT) devices, a scope that seemed to have limited impact on the open source ecosystem, and didn't stir much concern.

However, when the initial draft was published, it appeared that the scope had broadened to encompass general purpose software, and it became evident that key stakeholders were caught off guard. This expansion of scope without proper consultation or engagement highlights a critical oversight: the failure to recognize the broader implications of the CRA from the outset.

A Flawed Understanding of Open Source

From what we heard during the legislative process, including insider information, we believe there is still significant misapprehension among EU policymakers regarding the essence of open source. This misunderstanding is not trivial; it spans the breadth of open source's economic impact, the diversity of its business, legal and collaborative models, and the core principles that underpin its development and distribution models. The conspicuous absence of crucial stakeholders — such as the open source SMEs, and notably, the Commission's Open Source Software Program Office (OSPO) — from the CRA's drafting stages is symptomatic of more than mere procedural neglect. It signals a profound knowledge gap among those at the helm of crafting digital policy, betraying a lack of awareness about open source's collaborative nature, its pivotal role in fostering innovation, and its substantial contribution to the European economy and digital sovereignty.

A Misrepresentation of Stakeholder Engagement

The narrative pushed by some EU officials, suggesting that the disorganization of stakeholders, particularly from the open source community, was to blame for their late engagement, is both misleading and unjust. It overlooks the fundamental issue that these stakeholders were never properly consulted in the initial stages, nor during the legislative process.

Stakeholder engagement is a cornerstone of democratic legislative processes, and the failure to proactively include these voices, and the refusal to engage with legitimate representatives of the European open source business ecosystem, speak to a broader issue of accountability and respect for the legislative process.

Dismissal of Concerns and Lack of Genuine Collaboration

The absence of the key policymakers at workshop focused on open source sustainability, organised by other members of the Commission (DG-IT and DG-CNECT) at the end of 2022, and the refusal of these policymakers to answer numerous meeting requests by representatives of the OSS business sector signal a troubling lack of willingness to collaborate.

Furthermore, public claims that concerns would "of course" be addressed in the final text of the CRA, despite evidence to the contrary, underscore a disconnect between policymakers and the communities affected by their decisions.

Shifting Blame and Avoiding Responsibility

During FOSDEM, EU officials attempted to shift the narrative towards the supposed disorganization of OSS stakeholders, rather than acknowledging a lack of care or engagement on their part.

The assertion that it is the responsibility of stakeholders to organize and present their concerns in a manner convenient for policymakers abdicates the responsibility of those officials to engage with a broad and representative spectrum of voices.

Absence of Coordination between the Commission's OSPO and the Policymakers

The exclusion of the Commission's Open Source Software Program Office (OSPO) from the legislative process of the CRA is a particularly glaring oversight, given the OSPO's established trust and rapport within the open source ecosystem.

This organization should serve as a critical bridge between the open source community and European policymakers, ensuring that legislative proposals consider the unique dynamics, values, and operational realities of open source projects and businesses. The failure to involve the OSPO not only represents a missed opportunity for meaningful engagement and insight but also signals a concerning disconnect in the EU's approach to legislation.

Recommendations for Future Legislative Processes

1. Institutionalize Stakeholder Engagement: Formalize the involvement of the OSPO and other relevant bodies in the early stages of the legislative process for all digital and technology-related proposals. This should be more than a token gesture; it should ensure that these entities have a substantive role in shaping legislation, providing feedback, and flagging potential issues before they become entrenched in the proposal.

2. Establish Cross-Directorate Collaboration Protocols: Develop and implement protocols that mandate collaboration between different directorates and offices (such as the OSPO) when drafting legislation that crosses thematic boundaries. This would facilitate a holistic approach to policy-making, ensuring that all relevant perspectives and expertise are considered.

3. Create Open Source Impact Assessments: For any future legislation affecting the tech sector, specifically those with potential implications for open source projects and SMEs, require a detailed impact assessment. This assessment should involve consultations with the OSPO and external stakeholders to evaluate the potential effects on the open source ecosystem, innovation, and competitiveness.

4. Public Consultation and Transparency: Increase the transparency of the legislative process by making drafts available for public comment and ensuring that feedback mechanisms are accessible and meaningful. This could be bolstered by the OSPO acting as a mediator to collect and synthesize input from the business and non-profit open source ecosystem, ensuring that concerns are addressed in a structured and impactful manner.

5. Ongoing Education and Awareness Initiatives: The OSPO, alongside other EU bodies, should spearhead efforts to educate policymakers about the open source models, their economic and societal benefits, and the potential impacts of legislation on this vital sector. Regular workshops, seminars, and exchange programs are needed to facilitate a deeper understanding of open source dynamics among EU officials.

6. Establish a Legislative Review Board: Consider creating a review board comprising representatives from the OSPO, industry experts, and stakeholder groups to evaluate the final drafts of technology-related legislation. This board would provide a final check against unintended consequences and ensure alignment with the EU's broader digital strategy and open source principles.

We strongly believe that these measures are needed to improve the EU legislative process for policies that impact the open digital ecosystem, ensuring that future acts similar to the CRA are developed in a more inclusive, informed, and transparent manner. Engaging with and leveraging the expertise of the OSPO and the broader open source community is essential for crafting legislation that supports innovation, competitiveness, and the digital rights of EU citizens, rather than hampering them.

References

• "What I learned in Brussels: the Cyber Resilience Act", by Maarten Aertsen for NLNet Labs.