News

EU: Proposed liability rules will harm Free Software

on:

The EU is currently debating the introduction of liability rules for software, including Free Software. The relevant proposals are the AI Act, Product Liability Directive (PLD), and Cyber Resilience Act (CRA). The way they are, all proposals will harm the Free Software ecosystem and thus the society and the economy.

While we welcome the discussion on more cyber security we doubt that the introduction of liability alone will lead to more cyber security

The main debate happens around the Cyber Resilience Act. We will therefore discuss the risks and solutions using this Act as an example.

While we welcome the discussion on more cyber security we doubt that the introduction of liability alone will lead to more cyber security. Especially in Free Software, far-reaching security measures are already in place. Those measures differ from those of proprietary software.

The proposal to exclude Free Software “outside the course of a commercial activity” would fail to address a large part of software that will not be covered but is deployed. At the same time smaller and non-profit projects would be harmed as they would have to bear major costs.

We, therefore, propose a solution that will lead to more security while safeguarding the Free Software ecosystem:

  1. Liability should be shifted to those deploying Free Software instead of those developing Free Software and
  2. Those who significantly financially benefit from this deployment should make sure the software becomes CE-compliant

Free Software with its four freedoms to use, study, share, and improve the code makes it easy for anyone to develop and improve the code while making it available to everyone. In cases of security incidents, developers - who might only get micro or small payments, are non-profit, or even do not earn a single Euro for their work - might be liable. To make them liable could lead to large burdens that projects could not handle alone. Free Software is everywhere nowadays, and those deploying Free Software, especially Free Software from small projects, must take on more responsibility, if only out of their own interest.

Putting the burden of liability on these small or non-profit entities would harm the Free Software ecosystem and thus society and business equally, because due to the lack of funding and resources to go through these procedures, some of these projects might have to stop completely, but also it won't necessarily lead to more security. Moreover, many small Free Software projects already have well-working security assessments in place. Introducing new workflows or even consulting third parties would have financial consequences that would be almost impossible to bear. Ways to address the funding problem could be a dedicated fund to support these projects, or the introduction of a scoring system that shows how much a company invests in the security of the Free Software projects it uses. However, neither of these proposals can be implemented quickly, so the problem will persist. Therefore, transferring liability to those who deploy the software and try to profit significantly from it seems to be a better solution.

To address this, the current wording needs to be improved. The concept of “commercial activity” should be replaced with an approach that focuses on deployment rather than on development. And the responsibility to fulfill these requirements should be on the entity that benefits in the market. Likewise, exemptions for non-profit entities and micro enterprises should be introduced. In other words, liability should be moved towards those deploying these solutions that are substantial profit-oriented companies.

This will ensure that all Free Software solutions that are used on a significant level are assessed under the liability rules in the CRA, PLD, and AI Act, but the financial burden will be shifted to those who try to make a profit from these solutions. So they will be the ones having to make sure that someone runs through the procedures needed for their software to get the CE label. Deployers could collaborate and ensure that they fund projects they use or could run through the procedures themselves. They ought to make sure that modifications are fed back into the projects.

We presented this position also in a public hearing in the European Parliament.

It is a complex debate with far-reaching implications and changing positions every day. We will continue to work on this issue in the upcoming month. If you are interested in getting involved or joining our activities, please contact us via email.