[ripe-list] Community feedback on EU Cyber Resilience Act proposal

Dear colleagues,

The RIPE NCC is preparing its response to the proposed Cyber Resilience Act, which will detail how we see the regulation impacting our own operations, particularly in light of RIPE Atlas and RPKI and the further need for clarification we see around a number of definitions and points in the current proposal. 

In addition to our own impact analysis, we’d like to highlight the fact that we’ve also heard feedback on the proposal from within the RIPE community. I’ve drafted a summary of that feedback below, which we intend to include in our submission to the European Commission. 

If you’re interested in this topic, I would be happy to hear whether you feel I’ve captured the major concerns accurately or whether any major points are missing. 

I know that some of you are also preparing your own submissions, which I highly encourage. After some back and forth, the deadline for contributions was set to 23 January (you can find the link in my original message, below).

Thank you,

Suzanne

********
In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach. 

As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet. 

While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform. 

The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means.

Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development.

For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union.

We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union. 

For a more detailed discussion of these concerns within the technical community, please consult the following:

The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem
Olaf Kolkman, Internet Society 
https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ <https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/> 

Open-source software vs. the proposed Cyber Resilience Act
NLnet Labs
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do <https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do> 

Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)
Maarten Aertsen
https://ripe85.ripe.net/archives/video/911/ <https://ripe85.ripe.net/archives/video/911/> 

ICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a Headache
Lars-Johan Liman, Netnod
https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might <https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might> 

Archive of discussion on RIPE Cooperation mailing list
https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html <https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html> 

********

> On 2 Dec 2022, at 11:14, Suzanne Taylor <staylor at ripe.net> wrote:
> 
> Dear colleagues,
> 
> We’d like to draw your attention to a proposal put forth by the European Commission to strengthen cybersecurity rules for hardware and software products, called the Cyber Resilience Act (CRA):
> 
> https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act <https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act>
> 
> Several members of the Internet community have raised concerns over the implications of the CRA for the open-source community. In particular, Maarten Aertsen of NLnet Labs gave a presentation about the CRA during RIPE 85 and Olaf Kolkman of the Internet Society wrote an article that may be of interest: 
> 
> https://ripe85.ripe.net/programme/meeting-plan/os-wg/ <https://ripe85.ripe.net/programme/meeting-plan/os-wg/>
> https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ <https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/> 
> 
> There’s an opportunity to respond to the European Commission’s proposal until (at least) 27 January 2023:
> 
> https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en> 
> 
> This is an open consultation, and we would encourage you to share your views if you have an opinion. The feedback received will be passed on to the European Parliament and Council (the member states) as they each develop their own positions on the proposal, before negotiations between the three bodies begin. 
> 
> The RIPE NCC is currently formulating its own response to the proposal, which will include the impact we foresee the CRA having on us as an organisation, but we want to ensure that the wider voice of the technical community is also heard. 
> 
> You can see past examples of the RIPE NCC’s submissions to open consultations here:
> 
> https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations <https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations>
> 
> Please let us know if you have any questions. 
> 
> Best regards,
> 
> Suzanne 
> 
> __________________
> Suzanne Taylor
> Public Policy & Internet Governance
> RIPE NCC
> www.ripe.net <http://www.ripe.net/>
> 
> -- 
> 
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-list/attachments/20230117/a44b2829/attachment.html>