The Python Software Foundation (PSF) has expressed concern over the potential impact of proposed cybersecurity laws in the European Union (EU) on open-source developers and organizations.
The PSF argues that the current wording of the proposed law would result in open-source developers and organizations being unfairly held liable for distributing incorrect code.
The PSF, along with several other organizations such as the Eclipse Foundation and NLnet Labs, has called for EU lawmakers to clarify the vague language of the legislation, to ensure that open-source developers and organizations are not held accountable for flaws in commercial products that incorporate their code. They warn that such a move would discourage contributors to open-source projects.
Last year, European lawmakers introduced two pieces of legislation aimed at improving software security and liability. The Cyber Resilience Act (CRA) requires product makers to review product security, implement vulnerability mitigation procedures, and disclose security information to customers to promote digital product security. Meanwhile, the Product Liability Act updates product liability rules in Europe to include digital product changes arising from software updates.
The CRA’s public comment period closed in November, and the public consultation period for the law concludes on May 25. If adopted, the maximum fines under the law could reach €15 million or up to 2.5 percent of annual turnover, whichever is greater. However, the CRA has yet to be adopted by the European Parliament and Council.
The PSF has urged EU lawmakers to provide clear exemptions for public software repositories serving the public good and for organizations and developers hosting packages on public repositories. The PSF has also requested lawmakers to clarify the vague language in the proposed legislation to prevent open-source developers and organizations from being unfairly held liable for distributing incorrect code.
The sources for this piece include an article in TheRegister.