CRA & PLA Cybersecurity Laws Need Rewording

Proposed EU laws to restrict irresponsible businesses might be abused to hurt FOSS free & open-source software
volunteers due to poor wording.

• the Cyber Resilience Act (CRA) & Product Liability Act (PLA) aim to increase software security & accountability
  • Article 16 states a “person, other than [manufacturer/importer/distributor, who makes] a substantial modification of [a software product] shall be considered a manufacturer”
• many (Python Software Foundation, Eclipse Foundation, NLnet Labs) believe the broad wording may cause unintentional harm
  • Article 16 implies FOSS devs “might bear legal and financial responsibility for the way their components are applied in someone else’s commercial product”
  • instead, “increased liability should be carefully assigned to the entity that has entered into an agreement with the consumer”
  • indirect monetisation (e.g. advertising paid courses & conference tickets) should not always make software qualify as “commercial”
• however scope of any FOSS exemptions should be carefully limited to prevent commercial abuse/loopholes

personal opinions

• if you hire an engineer to build a safe and they use substandard components, you sue the engineer. The engineer in turn can sue the component makers if they had a contract. You don’t sure the component makers directly
• I’m sceptical that any new law could realistically override the “PROVIDED AS IS/NO WARRANTY” clause in FOSS licences
  • the lack of warranties for widely-used FOSS libraries is a problem which can & should be tackled separately (and more urgently than the mere commercial libraries which the CRA & PLA target)
• more counterarguments: OS is Illegal