Policymakers in the EU are working on a new regulation to improve cybersecurity. Proposed by the European Commission last year, the Cyber Resilience Act will allocate responsibility for shipping and maintaining secure software products to the companies that sell them, but its current form could pose challenges for open source. At GitHub, we’re looking forward to working with policymakers to improve cybersecurity and support developers.
Cybersecurity reform is clearly needed. Too often products are shipped without adequate security and not maintained as new vulnerabilities come to light. Many of us have directly suffered as a result. The Cyber Resilience Act aims to change this. It would set requirements for secure development and maintenance of digital products in the single market, with elevated standards for critical products like web browsers and VPNs. And importantly, it would require manufacturers to patch vulnerabilities in their software in a timely manner. These proposed changes have industry and developers alike looking closely at the specifics.
Recognizing its economic impact and role in innovation, the European Commission proposal contemplates a partial exemption for open source software. While a good start, a partial exemption for open source is not enough. The proposal needs fixing, and the open source community has raised concerns.
The text exempts non-commercial open source, but defining this in practice is challenging. Developers create and maintain open source in a variety of paid and unpaid contexts, including corporate, government, nonprofit, academic, communities, and solo. Non-profit organizations offer paid consulting services as technical support for their open source software. And increasingly, developers receive sponsorships, grants, and other forms of financial support for their efforts. These nuances require a different exemption for open source.
We look forward to partnering with EU policymakers to provide clarity for open source and developers. As we outlined in a filing with the European Commission, the Cyber Resilience Act can be improved by focusing on finished products. If open source software is not offered as a paid or monetized product, it should be exempt. Keeping this focus would also provide certainty for collaborative software development and distribution platforms, from GitHub to self-hosted servers, container registries to package managers. While these were explicitly exempted in the EU Copyright Directive, there is risk that they may be considered distributors within the Cyber Resilience Act.
Providing certainty for open source will be a boon for our shared digital infrastructure and for European developers. European Commission-sponsored research estimates that open source software contributed at least €65-95 billion to EU GDP in 2018, and that annual number is set to only increase as open source powers AI development. Much more can be done, too. The German government, in particular, has taken note of the importance of open source. Last year, they launched the Sovereign Tech Fund, which supports open source projects in the public interest. Policymakers across Europe and the world should take note: models of direct government support for and engagement in developing open source are promising complements to multi-stakeholder initiatives, like OpenSSF, in securing our digital commons.
As work continues on the Cyber Resilience Act, GitHub is partnering with policymakers and the developer community to ensure the legislation actually increases cyber resilience. For more on how you can get involved, and to contribute ideas on how our proposed amendments can be improved, please contribute in our repository.