Grandeur and decadence of European Open Source policy

Europe's digital policy is in a state of flux, with policymakers grappling to balance security, innovation, and the unique nature of Open Source software. While the EU aims to bolster its digital sovereignty and cybersecurity, exemplified by the Cyber Resilience Act (CRA), its approach and attitude raises critical questions about the future of Open Source in Europe and the need for a more collaborative strategy.

The following text is an expansion of the remarks presented during a panel at 2023's Open Source Experience in Paris.

The Cyber Resilience Act: Unexamined Consequences for Open Source

The European Union's Cyber Resilience Act (CRA) represents a significant step towards enhancing the security of hardware and software products across the continent. The Act mandates that any product in Europe containing digital elements must be CE marked, ensuring it meets security and functionality standards and remains compliant throughout its lifecycle. However, its effects on the free and Open Source software (FOSS) ecosystem have not been thoroughly studied.

According to the Commission's own impact study, the CRA's broad scope and stringent requirements will increase development costs by an estimated 30%. This raises serious concerns, particularly for smaller players and SMEs, about the potential for stifling innovation. The CRA's one-size-fits-all approach fails to adequately account for projects that rely on volunteer contributions and community-driven governance, but also projects developed by SMEs, potentially creating a compliance nightmare.

Lost in Translation: The Communication Gap and its Implications

The challenges posed by the CRA are further exacerbated by a communication breakdown between policymakers and the open source community. Key discussions on open source sustainability, such as a workshop organized by the European Commission's OSPO in late 2022, have seemingly occurred in silos, disconnected from the CRA's drafting process.

"This disconnection within the Commission highlighted a significant issue: those knowledgeable about open source weren’t consulted by those regulating it," Fermigier explained, reflecting on his experience representing CNLL and APELL in discussions about the CRA. He further noted that numerous private and open letters and meeting requests from open source representatives went unanswered. This lack of internal coordination and external communication raises concerns about whether the CRA, in its current form, can effectively achieve its security objectives without unduly harming the open source ecosystem it seeks to regulate.

Towards an Open New Deal: Rethinking Digital Infrastructure

The challenges posed by the CRA highlight a broader question: how should Europe approach its digital infrastructure in an age of geopolitical and economic uncertainty? The modern digital economy's reliance on proprietary software and cloud services centralizes control in the hands of a few vendors. This raises concerns about innovation, competitiveness, and the potential vulnerabilities introduced by such centralization.

In this context, an Open New Deal is not merely advisable but perhaps imperative. This entails a strategic shift towards prioritizing and significantly investing in open digital infrastructure. Open source policies can provide a counterbalance to centralization by promoting diversity in software and services. They can allow for greater scrutiny and resilience against cyber threats through collective problem-solving.

The future of open source in Europe hinges on the ability of the community and policymakers to bridge the existing divide. The path forward requires a concerted effort from all stakeholders to ensure that Europe's digital policies foster a thriving open source ecosystem.