This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/cooperation-wg@ripe.net/
[cooperation-wg] Community feedback on EU's proposed Cyber Resilience Act
- Previous message (by thread): [cooperation-wg] DNS4EU
- Next message (by thread): [cooperation-wg] Community feedback on EU's proposed Cyber Resilience Act
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Suzanne Taylor
staylor at ripe.net
Tue Jan 17 13:58:46 CET 2023
Dear colleagues, The RIPE NCC is preparing its response to the proposed Cyber Resilience Act, which will detail how we see the regulation impacting our own operations, particularly in light of RIPE Atlas and RPKI and the further need for clarification we see around a number of definitions and points in the current proposal. In addition to our own impact analysis, we’d like to highlight the fact that we’ve also heard feedback on the proposal from within the RIPE community. I’ve drafted a summary of that feedback below, which we intend to include in our submission to the European Commission. If you’re interested in this topic, I would be happy to hear whether you feel I’ve captured the major concerns accurately or whether any major points are missing. I know that some of you are also preparing your own submissions, which I highly encourage. After some back and forth, the deadline for contributions was set to 23 January: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en> Thank you, Suzanne ******** In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach. As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet. While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform. The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means. Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development. For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union. We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union. For a more detailed discussion of these concerns within the technical community, please consult the following: The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem Olaf Kolkman, Internet Society https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ <https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/> Open-source software vs. the proposed Cyber Resilience Act NLnet Labs https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do <https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do> Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting) Maarten Aertsen https://ripe85.ripe.net/archives/video/911/ <https://ripe85.ripe.net/archives/video/911/> ICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a Headache Lars-Johan Liman, Netnod https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might <https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might> Archive of discussion on RIPE Cooperation mailing list https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html <https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html> ******** -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/cooperation-wg/attachments/20230117/b70b2001/attachment.html>
- Previous message (by thread): [cooperation-wg] DNS4EU
- Next message (by thread): [cooperation-wg] Community feedback on EU's proposed Cyber Resilience Act
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]