Do you remember the talk we had about the Cyber Resilience Act, the EU regulations that threaten the whole Open Source world and the Free Software Foundation itself? Well, I have big news for you…

I recently attended the Nextcloud Conference in Berlin and I am so enthusiastic to share with you Simon Phipps’s talk about the European Union Regulations and Open Source Movement, as well as his effort in helping the Parliament to figure out a better way to approach the situation. For those of you who don’t know, Phipps is a computer scientist and, most importantly, an open source advocate. In fact, he has been, among other things, President of the Open Source Initiative, and has served on advisory boards for projects like GNOME, OpenSolaris, and AlmaLinux.

As we saw in the last video, the EU is trying really hard to regulate software products by putting a “CE” mark on them; however, in doing so, even if they didn’t mean it in the first place, they are hitting the Open Source community in a collateral way; since it’s important to keep this legislation in mind for a better understanding of this video, I'm going to quickly summarise its concept. The Cyber Resilience Act aims to regulate the development of - and I quote - “secure products with digital elements”, which means that every piece of software that is potentially dangerous for the user’s security, has to follow some strict rules. This is great and all, but, since following these directives is going to cost a lot in terms of money to actually implement, some open source communities (not all of them) are going to struggle to actually do that. But I said that I had some news, right? And Phipps had an interesting take on that…


Firstly, he stated a list of the most important regulations that somehow  concern open source organisations, and are currently active, or being discussed, in Europe. There is an European Digital Agenda establishing what are the next objectives about digital regulations. Phipps points out that about 80% of all software and drives used across Europe is actually open source, so it’s only natural that it’s getting regulated (I've seen people saying: as soon as open source is regulated, I'll change country: shut up, of course software is regulated, all of it, already). Not so surprisingly, there are quite a lot of acts, and some of them are actually quite interesting: take for instance the Digital Markets Act, or DMA. This act introduced a series of obligations to which the so-called “gatekeeper” companies (major companies such as Apple, Meta and Microsoft) must submit, in order to prevent them from abusing their market. However, as we all know, some other regulations are… questionable, to the open source world.

**\[WE ARE TAKEN OUT\]**  

For the writing of these regulations, it feels like nobody from the open source community is actually being consulted. Europe's lawmakers are only listening to what corporations or small medium businesses have to say, which is a completely different world. And I know you may be thinking: “Well, since that is the problem, wouldn't it be enough to just have some big comany within Europe’s high-ups that is actually part of the open source community?”. I’m afraid to say, this really isn’t the solution.

Phipps takes as an example Ericsson, which is a Swedish multinational networking and telecomm… you know them, come on; you might be surprised to learn they're also a board member of the Linux Foundation, as well as of the Eclipse Foundation. They should be a great ally, right? Well, in 2019, the European Commission was asking for public information on new legislation on collaboration between competitors (“horizontal relationships”). These relationships can rise to the level of being anti-competitive: this is what is called “antitrust”.

About this topic, Ericsson asked the Commission to check open source software for antitrust regulations as well. To quote directly from their letter to the Commission: “Ericsson wishes to direct the Commission’s attention to what it perceives as a significant gap in the Horizontal Guidelines, in that they do not cover the development of open source software”. That… kinda sucks, right? They are trying to put open source in a tough spot.


But that’s not all. An even more interesting take in Phipp’s talk is about, what he calls, the “Fourth Sector”; you may ask, didn’t we only have 3 sectors?

Let’s frame it this way: in the normal processing of these legislations, the European Commission searches for “control points”, various “nuclei” with users around them, where the monetization of a product occurs and thus is the site of all the consultation about the regulations. You can see how this definition isn’t really relevant to a lot of circumstances, like open source software. FOSS projects tend to avoid the concept of “control points” because of decentralised work; they are made by people who actually enjoy the piece of software, and at the same time they are contributors to the software itself; on top of that, the vast majority of these realities are non-profit, so the monetization is not happening at all, besides donations like kickstarters, patreons, and so on…

Like...KDE isn't any different: there’s plenty of people enjoying and using the software every single day and a biiiig community behind it helping with the development, and since we are a non-profit project no one is funding us besides, as I was saying earlier, our donors. and sponsors.

So, that “Fourth Sector”, which by the way I really don’t like calling like that, are basically the people that are not only some product’s customers but they also actively contribute in the development of it. A distributed network of people who still have a tremendously big impact on society. That can seem something very far from us, but if you think about it, if you ever happened to contribute to some project in the slightest way, you’ve been part of the Fourth Sector, or should I say, you are part of the world of open source, which is literally…yeh… us.

That being said, the European Union isn't really considering this mechanism in the making of new legislations, which leads to the reason why the whole CRA or other regulations regarding digital products are completely missing the point for the Open Source community; their opinion is simply taken out. And we have to take into account another major problem: besides not being represented properly, FOSS is made of a WIDE range of communities, motivations, and aims very different from each other; going toward every one of them is not going to be an easy task.

**\[WHAT WE DID\]**  

Then should we just accept it and follow this route? Of course the answer is not to, and this isn’t either the first time we are facing something like this. So, let's see what we can do.

Actually, before I do that, this video is not sponsored. And yet it took some good hours to write it, three different people worked on this script, now I'm recording this, and then all of this will be sent to the editor, and that's going to take hours as well... all of this only works if I'm able to pay all of these people, we're most often students without other side jobs to sustain us.

So, above my head you should see a progress bar with the money we've received so far this month, and how much I need to actually ... run the whole channel. And here, you have the team of people who are actually working on these videos. I'm extremely thankful to all of those people who are contributing, you are the reason I'm doing all of this; and I would be super grateful if you could donate even just... a few bucks every month, it goes a long way, and you do get extra content as well, just for patreons. Or just ... like this video, and subscribe, you know what helps the channel, I don't have to spell it to you, do I?

Let's get back to fighting against bad lagislation. We once did this in 2005 to defeat the Software Patent Directive: “a directive to harmonise national laws on patents for computer-implemented inventions” which gained a lot of opposing opinions from different communities such as the Free Software Foundation or the FSFE (Free Software Foundation Europe), which ultimately led to abandoning it, much to everyone's surprise, actually on the day of the vote. And that is what encourages us to keep on working right up until the last minute, ‘cause if we did it once we can achieve the same result again and I am really faithful in that.

**\[CAN IT BE DONE NOW?\]**  

So this whole talk comes to a simple question: Can It be done? Can we help the EU understand the Open Source world? And I am really glad to tell you that I have good news for you, or should I say, Phipps has… because he is part of  something magnificent.

He, in fact, is a consultant of the EU for Open Source topics and, most importantly, he managed to implement an open-source-like approach to the system i was criticising earlier by creating different bodies to ensure an open and transparent work.

And what about what other realities think? On his blog, Phipps gathered all the responses to CRA from majors communities and software industry representatives, all sharing the same concerns to some degree.


Of course, there are the opinions of the most important open source projects, including for example The Document Foundation (the guys behind LibreOffice). Quote: “For the purposes of the Cyber Resilience Act, there is a real risk that software based on LibreOffice technology will be considered to be made in the course of a commercial activity, and thus subject to the legislation”.

However, you might be surprised to hear that even others software “main characters” jumped in the game: none other than Microsoft itself stated: “There is ambiguity resulting from the intersection of OSS (Open Source Software) with “commercial activity,” both in the context of infrastructure and services provided to open source projects and with regard to activities that open source projects may pursue while building OSS. \[...\] Commercial services enabling the effective use of OSS, such as technical support and consulting services, should also be out of scope and not bring OSS offerings into scope.” .

Even coding languages can’t help but being worried about the situation: the Python Software Foundation posted on their blog on April 11, 2023 their thoughts about the CRA. Quote: “If the proposed law is enforced as currently written, the authors of open-source components might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product. The existing language makes no differentiation between independent authors who have never been paid for the supply of software and corporate tech behemoths selling products in exchange for payments from end-users”.

**\[WHAT CAN YOU DO?\]**  

So, we’ve seen how the big communities and corporations are facing Europe’s decisions. However I would much prefer talking about something YOU can actually DO to contribute in this “war” and create a fairer regulation.

Firstly, you could check if your community is affiliated to OSI (Open Source Initiative) or FSFE, and if the answer is yes (and hear me that’s fantastic) you can join a monthly call to hear and discuss the current finding on legislation; or you can be a contact point for your community for open letter to sign on, so when a letter is written to the commission you’ll receive an email saying “Hei could you check this out if it is okay to you or your organisation to sign it to”. If you want to get real about this cause, Phipps even encourages you to contact him directly to lead to a place where you can actually contribute.

By the way... I mentioned KDE, did I? Like, at least ten times, did I? Well, I am a KDE developer, so sorry about that. Big question: is there any particular bug, or little missing feature, that annoys you in KDE? I created a "commision" page on thiiiiis link, and you can actually book some KDE developer hours to fix it. Of course, we discuss the whole thing beforehand, we see if it's actually fixable, anything that does not get fixed is fully refunded, blah blah. But yeah, I thought you should know about that.


That said, the European Union is surprisingly very very conscious and open to discussion, which isn’t pretty obvious, and I am so happy that so many people are doing their part {suggerimento: meme “I’m doing my part”}. But, as Phipps said, it isn’t a close deal, because this kind of sector is in an unending evolution and it needs constant regulation.

So, again, it would be so appreciated if you could help in any possible way, and make sure to contact your preferred community to get involved.


Reactions: [__https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/__](https://blog.opensource.org/the-ultimate-list-of-reactions-to-the-cyber-resilience-act/)  

Python: [__https://pyfound.blogspot.com/2023/04/the-eus-proposed-cra-law-may-have.html__](https://pyfound.blogspot.com/2023/04/the-eus-proposed-cra-law-may-have.html)  

Nextcloud Talk: [__https://www.youtube.com/watch?v=14_Q1Yzvi-U&t=11953s__](https://www.youtube.com/watch?v=14_Q1Yzvi-U&t=11953s)