Open Letter from Apereo on the Negative Impacts to Education of the EU Cyber Resilience Act

BEAVERTON, Ore. - Aug. 9, 2023 - PRLog -- Apereo Foundation is working to understand the potential impact of proposed European legislation on the global open source software ecosystem. The EU Cyber Resilience Act (CRA) (https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) aims to safeguard European consumers and businesses buying or using products or software with a digital component. It was initially envisioned to address hardware (connected devices) but then expanded to include software. The Act employs an established framework to certify hard goods as safe for consumers, requiring auditing and compliance through standards yet to be established. Last week the CRA was voted on and passed out of key committees.

As of this writing, Apereo is concerned the CRA may negatively and dramatically impact institutions of higher education.

The current language of the Act would treat any organizations distributing open source software as manufacturers subject to new regulations, for example a requirement to apply a CE mark to all distributed open source software. Implications of this might include:

• The software you rely upon is no longer available: Non-EU open source projects exclude the EU from use and some projects die.
• Open research becomes harder: Releasing open source software artifacts as part of a commitment to open scholarship becomes problematic due to compliance costs.
• Collaboration becomes difficult: Multi-organisation work on open source becomes complex to manage and difficult to develop, limiting university and commercial partnerships and EU / non-EU collaborations.
• Costs increase: Institutional fees for commercial software products that include open source software increases to cover required re-factoring in response to the CRA.
• Academic curriculum is affected: Code bases, software development tools, and data analysis tech that campuses rely on become inaccessible or are removed from the web.

Although multiple European entities proposed amendments recommending placing the burden and responsibility of compliance on commercial endeavors--which build profit upon freely distributed open source software--the adopted language and intent obligates open source developers, organizations, and foundations, treating their work as "commercial activity."

Apereo is working to understand the implications for institutions of higher education. Thus far, it appears only the "public sector" has been exempted, which may provide some protections for those universities releasing software under an open source license. Risks around software developed outside universities remain.

A call to action will follow.

Thank you for your attention,

Patrick Masson,
Executive Director

Full Letter: https://www.apereo.org/