Open Letter from the Apereo Foundation ED: Impending E.U. Regulatory Requirements

RE: EU Cyber Resilience Act (CRA)
FR: Patrick Masson
      Executive Director
      Apereo Foundation

Dear Apereo Members and Community,

Apereo Foundation is working with the Eclipse Foundation, Open Forum Europe, and others to understand the potential impact of proposed European legislation on the global open source software ecosystem. The EU Cyber Resilience Act (CRA) aims to safeguard European consumers and businesses buying or using products or software with a digital component. It was initially envisioned to address hardware (connected devices) but then expanded to include software. The Act employs an established framework to certify hard goods as safe for consumers (toasters, electronics, dishwashers), requiring auditing and compliance through standards yet to be established. Last week the CRA was voted on and passed out of key committees.

On May 10, 2023, the Executive Director of the Eclipse Foundation provided the Apereo community with a comprehensive briefing on the substance and risks of the CRA. Since that time, the legislative process has moved on at some pace. As of this writing, Apereo is concerned the CRA may negatively and dramatically impact institutions of higher education, specifically as:

• Developers and distributors of locally produced and managed open source software projects and communities.
• Adopters and adapters (i.e., customizing, localizing, etc.) of open source software.
• Contributors to externally maintained (off-campus) open source software projects.
• Consumers of open source software as stand-alone projects or as part of commercial/proprietary platforms or services.

The current language of the Act would treat any organizations distributing open source software as manufacturers subject to new regulations, including (for example) a requirement to apply a CE mark to all distributed open source software. Implications of this might include:

• The software you rely upon is no longer available: Non-EU open source software projects exclude the EU from use, and some projects are removed from the web entirely to avoid unsustainable compliance costs.
• Open research becomes harder: Releasing open source software artifacts as part of a commitment to open scholarship becomes problematic due to compliance costs.
• Collaboration becomes more complex and difficult: Multi-organisation work on open source software projects becomes complex to manage and difficult to develop, potentially limiting university and commercial partnerships and EU / non-EU collaborations.
• Costs increase: Institutional fees for commercial software products that include open source software increases to cover required re-factoring in response to the CRA.
• Academic curriculum is affected: Code bases, software development tools, and data analysis technologies that campuses rely on for learning and teaching activities become inaccessible or are removed from the web, resulting in a rapid need to redevelop academic curricula.

Although multiple European entities proposed amendments recommending placing the burden and responsibility of compliance on commercial endeavors--which build profit upon freely distributed open source software--the adopted language and intent obligates open source developers, organizations, and foundations, treating their work as "commercial activity." Apereo is working to understand the implications for institutions of higher education. Thus far (and most recently), it appears only the "public sector" has been exempted, which may provide some protections for those universities releasing software under an open source license. We are working to understand if this would include public universities within the EU. Risks around software developed outside universities remain.

Further reading and viewing - several global stakeholders have published relevant articles, including:

• A comprehensive post and resource reference from the Apache Foundation.
• Belgium-based Eclipse Foundation provided a video update last week on the CRA.
• The above Eclipse webinar builds upon the original article published by the foundation several months earlier.
• The article, "The Cyber Resilience Act Threatens the Future of Open Source," via Raven Central.
• A very detailed analysis by the Internet Society and friends.

A call to action will follow.

The period for public comment has passed, but the deliberation has not. Co-legislators will convene again in September when the full house (Plenary vote) will vote on the CRA before entering the trilogue process.* Some changes in the current language will be possible through that process, so work now to understand better how the CRA may impact our membership, open source software, and Apereo is critical. In closing, please know that the Apereo Foundation will continue to monitor the progress of this crucial piece of legislation with its important aim to improve Cybersecurity for European citizens, universities, students, and education. We will keep you informed of the process and outcome of the Act.

In the meantime:

• We will continue our communications with the Apereo community (emails, newsletters, webinars, etc.) to ensure the potential impact on higher education engaged in open source software development is part of our collective awareness.
• Please share this letter and additional information on the CRA with your organization, other consortia, and relevant groups.
• Take time to conduct your own risk analysis to understand and assess potential impacts and liabilities.

Please feel free to contact me directly if you have any questions or if Apereo can help your organization better understand or prepare for the EU Cyber Resilience Act.

Thank you for your attention,

Patrick Masson,
Executive Director
Apereo Foundation

*A trilogue is an informal inter-institutional negotiation bringing together representatives of the European Parliament, the Council of the European Union, and the European Commission.

9450 SW Gemini Dr PMB 98572
Beaverton, OR 97008-7105
United States