Authors Matthias Bolt-Lesniak, Boris Hinzer
Info Due to a limitation in talk.typo3.org we posted the links to the sources in the HedgeDoc
The EU wants to strengthen cybersecurity by setting forth requirements for products with digital elements. The goal of the regulations, known as the Cyber Resilience Act, is to ensure more secure hardware and software products.
TYPO3 supports the EU’s goal of increasing software security, and we can’t simply expect FOSS to be excluded from the act. However, the EU proposal does not consider the special aspects of free and open-source software (FOSS).
To achieve CE marking for a product, the proposal moves liability for the security of the hardware or software to the vendor. Defining who the vendor is and mapping the liability of contributors is very hard for FOSS projects. Although the legislation includes an exemption for non-commercial activity, what constitutes commercial activity is not well-defined. It also includes a clause against unfinished software.
The open-source content management systems WordPress, Drupal, Joomla and TYPO3 joined forces and wrote an open letter to the EU legislators, raising their concerns and inviting to a dialogue.
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetizes other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
Directive 85/374/EEC 25 is complementary to this Regulation. That Directive sets out liability rules for defective products so that injured persons can claim compensation when damage has been caused by defective products. It establishes the principle that the manufacturer of a product is liable for damages caused by a lack of safety in their product, irrespective of fault (‘strict liability’). Where such a lack of safety consists in a lack of security updates after placing the product on the market, and this causes damage, the liability of the manufacturer could be triggered. Obligations for manufacturers that concern the provision of such security updates should be laid down in this Regulation.
Member States shall not prevent the making available of unfinished software which does not comply with this Regulation, provided that the software is only made available for a limited period required for testing purposes and that a visible sign clearly indicates that it does not comply with this Regulation and will not be available on the market for purposes other than testing.
- HedgeDoc Link containing all links: Cyber Resilience Act and why the TYPO3 Association needs your help until the end of August 2023 - HedgeDoc
The open letter was well received by the EU legislators and an open discussion was started. The EU legislator asked us for constructive feedback, and we have formulated the following questions:
- What do you consider to be the definition of a not-for-profit FOSS product? When does it become commercial?
- When do you consider a TYPO3 extension or service to be commercial?
- What kind of processes and requirements would you think of, to establish a standardized security handling?
- Which of our standards and best practice recommendations could be suitable as a requirement within the legislation to achieve CE marking?
- How can we generalize such standards to become usable by any FOSS project?
- What is our definition of the TYPO3 related products’ responsibility for code contributions? How far does the responsibility reach?
- What is our definition of the TYPO3 products’ responsibility for dependencies? How far does the responsibility reach?
- Who is responsible for the warranty and liability of publicly available TYPO3 websites including or excluding third-party code (thinking of Freelancers, TYPO3 Customer, TYPO3 Agency, TYPO3 Association)?