<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Dear colleagues,<div class=""><br class=""></div><div class="">The RIPE NCC is preparing its response to the proposed Cyber Resilience Act, which will detail how we see the regulation impacting our own operations, particularly in light of RIPE Atlas and RPKI and the further need for clarification we see around a number of definitions and points in the current proposal. </div><div class=""><br class=""></div><div class="">In addition to our own impact analysis, we’d like to highlight the fact that we’ve also heard feedback on the proposal from within the RIPE community. I’ve drafted a summary of that feedback below, which we intend to include in our submission to the European Commission. </div><div class=""><br class=""></div><div class="">If you’re interested in this topic, I would be happy to hear whether you feel I’ve captured the major concerns accurately or whether any major points are missing. </div><div class=""><br class=""></div><div class="">I know that some of you are also preparing your own submissions, which I highly encourage. After some back and forth, the deadline for contributions was set to 23 January (you can find the link in my original message, below).</div><div class=""><br class=""></div><div class="">Thank you,</div><div class=""><br class=""></div><div class="">Suzanne<br class=""><div class=""><br class=""></div><div class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">********</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach. </span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet. </span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform. </span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means.</span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development.</span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union.</span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union. </span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">For a more detailed discussion of these concerns within the technical community, please consult the following:</span></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-style: italic; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Olaf Kolkman, Internet Society </span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><font color="#000000" class=""><a href="https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/" style="text-decoration: none;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; text-decoration: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;" class="">https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/</span></a><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""> </span></font></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-style: italic; font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Open-source software vs. the proposed Cyber Resilience Act</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">NLnet Labs</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><font color="#000000" class=""><a href="https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do" style="text-decoration: none;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; text-decoration: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;" class="">https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do</span></a><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""> </span></font></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Maarten Aertsen</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><font color="#000000" class=""><a href="https://ripe85.ripe.net/archives/video/911/" style="text-decoration: none;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; text-decoration: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;" class="">https://ripe85.ripe.net/archives/video/911/</span></a><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""> </span></font></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">ICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a Headache</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Lars-Johan Liman, Netnod</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><font color="#000000" class=""><a href="https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might" style="text-decoration: none;" class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; text-decoration: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;" class="">https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might</span></a><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""> </span></font></div><br class=""><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">Archive of discussion on RIPE Cooperation mailing list</span></div><div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><font color="#000000" class=""><a href="https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html" style="text-decoration: none;" class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; text-decoration: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;" class="">https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html</span></a><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""> </span></font></div><div class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class=""><br class=""></span></div><div class=""><span style="background-color: rgb(255, 255, 255); font-variant-ligatures: normal; font-variant-east-asian: normal; font-variant-position: normal; vertical-align: baseline; white-space: pre-wrap;" class="">********</span></div><div><br class=""><blockquote type="cite" class=""><div class="">On 2 Dec 2022, at 11:14, Suzanne Taylor <<a href="mailto:staylor@ripe.net" class="">staylor@ripe.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Dear colleagues,<div class=""><br class=""></div><div class="">We’d like to draw your attention to a proposal put forth by the European Commission to strengthen cybersecurity rules for hardware and software products, called the Cyber Resilience Act (CRA):</div><div class=""><br class=""></div><div class=""><a href="https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act" class="">https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act</a></div><div class=""><br class=""></div><div class="">Several members of the Internet community have raised concerns over the implications of the CRA for the open-source community. In particular, Maarten Aertsen of NLnet Labs gave a presentation about the CRA during RIPE 85 and Olaf Kolkman of the Internet Society wrote an article that may be of interest: </div><div class=""><br class=""></div><div class=""><a href="https://ripe85.ripe.net/programme/meeting-plan/os-wg/" class="">https://ripe85.ripe.net/programme/meeting-plan/os-wg/</a></div><div class=""><a href="https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/" class="">https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/</a> </div><div class=""><br class=""></div><div class="">There’s an opportunity to respond to the European Commission’s proposal until (at least) 27 January 2023:</div><div class=""><br class=""></div><div class=""><a href="https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en" class="">https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en</a> </div><div class=""><br class=""></div><div class="">This is an open consultation, and we would encourage you to share your views if you have an opinion. The feedback received will be passed on to the European Parliament and Council (the member states) as they each develop their own positions on the proposal, before negotiations between the three bodies begin. </div><div class=""><br class=""></div><div class="">The RIPE NCC is currently formulating its own response to the proposal, which will include the impact we foresee the CRA having on us as an organisation, but we want to ensure that the wider voice of the technical community is also heard. </div><div class=""><br class=""></div><div class="">You can see past examples of the RIPE NCC’s submissions to open consultations here:</div><div class=""><br class=""></div><div class=""><a href="https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations" class="">https://www.ripe.net/participate/internet-governance/multi-stakeholder-engagement/ripe-ncc-contributions-to-external-consultations</a></div><div class=""><br class=""></div><div class="">Please let us know if you have any questions. </div><div class=""><br class=""></div><div class="">Best regards,</div><div class=""><br class=""></div><div class="">Suzanne </div><div class=""><br class=""></div><div class="">__________________</div><div class="">Suzanne Taylor</div><div class="">Public Policy & Internet Governance</div><div class="">RIPE NCC</div><div class=""><a href="http://www.ripe.net/" class="">www.ripe.net</a></div><div class=""><br class=""></div></div>-- <br class=""><br class="">To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: <a href="https://mailman.ripe.net/" class="">https://mailman.ripe.net/</a><br class=""></div></blockquote></div><br class=""></div></div></body></html>