Open Source at the core of Europe: the Cyber Resilience Act

This week’s news is that The European Parliament has approved the European Cyber Resilience Act, and I believe it to be good news for us free and open-source developers.

A lot was said prior to its approval, but much of it was dramatic and unhelpful in focusing on the positive aspects of this effort by the European Commission.

Understanding the Act’s Core Points

The Act aims to improve the EU’s ability to prevent and respond to cyber-attacks in a coordinated way. This is very important as cyber-attacks are the first line of contemporary warfare: Ukraine may be considered the first conventional cyberwar in the history of mankind, as our fellow Nicolas Brien argues.

As much as I don’t like war and do not want this to happen, reality must be faced, and a coherent strategy must be chosen. As the title of this act suggests, resiliency is the way for Europe, and it is a wise choice that helps improve the synergy between member states.

Delving into its text, I understood that, at its heart, the European Cyber Resilience Act is not simply about defence but also about fostering a fair environment for the digital industry dealing with data, information, and knowledge. It urges Member States to share information on cyber threats and promotes a collaborative approach to cybersecurity. It envisions a united front against cyber adversaries, where knowledge is power.

A Victory for Open Source

The inclusion of Open Source development in the Act is a significant win. Our model has long been overlooked in Europe, yet it is a potential powerhouse: it is well demonstrated that with our development methodology, we foster innovation, collaboration, and transparency.

Open source software is a key enabler of innovation and economic growth. By promoting its use and development, the Cyber Resilience Act will help to ensure that Europe remains at the forefront of the digital revolution.
- Neelie Kroes

The act’s recognition of the importance of open-source is a groundbreaking moment in Europe’s digital history. In the USA, it has been fully assimilated for more than a decade, and businesses have shown the ability to build value around it. In the EU, however, there is still a lot of potential to be exploited, there is room to grow, but we are limited by cultural norms and business practices. Now the European Commission recognizes the model of free/open source software, open and collaborative, as a way to build the much-desired European digital sovereignty, as well to face mission-critical tasks.

Silver lining the mega-corporations

Most vocal criticism of the act came from open-source leaning mega-foundations which, today, hold the stewardship position of large-scale software stacks mostly built in the USA during the past 20 years. The best round-up of the criticism is published by the Apache foundation and it helps highlight the most salient point: how we determine when software becomes a liability for societies and needs to be regulated by the norms of the Cyber Resiliency Act.

The act differentiates grass-root development and research from software exploited commercially at a large scale, even if both can be free and open source. It establishes that all norms need to be applied when the decision-making process on algorithms, what I call the algorithmic sovereignty, is de-facto in the hands of individuals working for commercial entities.

I applaud this choice of the European Commission because today, after decades of open-source institutionalization by our colleagues in the USA, the open-source bazaar is dominated by a conundrum of mega-corporations (GAFAM) funding mega-foundations (Apache, Linux, Mozilla…) to dominate most choices made about software. Europe’s act establishes that it doesn’t matter what kind of institution takes the stewardship of software: it is not made by a community when a “benevolent dictator” steers decisions while being paid by a company exploiting the commercial values of software. Such individuals obviously listen to the requirements of their own constituency, to the point of becoming unresponsive to the needs and concerns of the community.

Indeed, many of us who have embraced GNU/Linux in our infrastructure often feel like unwitting participants in a high-stakes tech experiment. It’s a sentiment I’ve dived deep into, particularly when exploring the complex scenarios of systemd, where a vulnerable software was knowingly deployed at large.

Let us also consider that there are already thousand of companies out there adding barely 5% of code to huge community built software stacks. When these companies succeed in their plans to profit they just try to buy the control on the 95% of open-source commons by buying people in, else they fail to control what they depend upon.

Solutions to dependencies are facilitated by open-source, but it will be not enough without the sort of norms this act states to regulate liabilities.

The Heart of the Act

The Act requires EU member states to establish a national cyber resilience strategy.

One of the key points of the Cyber Resilience Act is the establishment of a European Cybersecurity Certification Framework. This framework will provide a common set of standards and certifications for all ICT products, services, and processes across the EU. This will help to ensure that all products and services meet a minimum level of cybersecurity and data protection requirements.

Certifications have been a driving business model for the growth of big open-source companies such as Red Hat and its parameters and focus have been established by the biggest market players without taking into account the validation of the academic and public sectors. I like to think that in Europe we do this in a different way and this act is another big step in this direction.

The Commission aims to lead Europe’s digital transition by example. With the new rules, the Commission will bring significant value to companies, start-ups, innovators, citizens and public administrations by open sourcing its software solutions. This decision will also spur innovation, thanks to publicly available Commission code.

- Mariya Gabriel

The beauty of the Free and Open Source model lies in its openness and collaboration. It’s not just about creating software but also fostering a community of innovation and learning, opening the field for European small and medium enterprises to play along clear rules and to work for the transparency and quality of systems. This is the blueprint for the much-desired European digital sovereignty.

Forkbomb and Dyne.org: Pioneering Open Source

At the Dyne.org foundation and our new sister the Forkbomb company, we’re proud to be pioneering this change. We work tirelessly with professional-grade open-source software, creating technology that is by the people, for the people.

We embrace this new era of digital growth for Europe, confident that the liabilities we have always faced and taken responsibility for will be dealt with in a cooperative and faithful environment.

Reflecting on our successful and outstanding decade-long journey working for the European Commission, our biggest problem has always been of cultural nature: the lack of understanding of the importance of the free and open-source software movement by the industry. This problem has never been and will never be solved by the industry or a proxy institution but by the sort of cultural and political shift Europe is promoting today.