CRA and NIS2: Protecting Free Software ecosystem in implementation
Together with NLnet Labs and the Open Source Security Foundation, the Free Software Foundation Europe (FSFE) submitted feedback on the NIS2 implementation act, pointing to the need of protecting the European Free Software ecosystem.
The NIS2 implementation act, with its cyber security regulations and implementing decisions, is also addressing Free Software ecosystem in Europe. It is therefore crucial that these measures, while contributing to cyber security, do not hamper Free Software development, especially as Free Software is a strong component in the cyber security area.
“It is important to recognise the special nature of Free Software development and the Free Software ecosystem and its role in the software supply chain. Implementation needs to be proportionate and effective”, states Alexander Sander, FSFE.
In this sense, the FSFE, together with NLnet Labs and the Open Source Security Foundation, jointly provided feedback to the consultation on the European Commission’s draft NIS2 Implementing Act concerning "Cybersecurity risk management & reporting obligations for digital infrastructure, providers and ICT service managers" (launched on 27 June).
We raised our concerns about the focus on business to business (B2B) relationships. Complex software products, which are at the core of services of the digital infrastructure sector of NIS2, are often published by independent individuals, not-for-profit actors or academic organisations. In this case, beyond the freedoms granted by Free Software licences, no relationship exists between developer ('direct supplier') and an entity in scope for NIS2.
The FSFE actively participates in regulation processes such as consultations, attends hearings and is in close dialogue with decision-makers in the EU to make sure cyber security regulation does not hamper Free Software development. If you are negatively affected by the implementation of CRA and NIS2, please contact us.