FOSS could be an unintended victim of EU crusade to make software more secure

Opinion The European Union has a commendable love for the safety of its citizens. Armed with the keys to a market of 300 million of the world's richest consumers, the EU has merely to scent danger to bravely regulate. Food, consumer goods, financial markets and data processing: if it can bite the punter, the EU has a legal muzzle to hand.

This is an imperfect process, as regulations always are. Companies and free market libertarians chafe at not being allowed to poison, crush or electrocute paying customers or passers-by. But it turns out a well-regulated market inspires consumer confidence, doesn't stop innovation, and adds value to entire sectors. That it annoys libertarians is just a free bonus.

The EU has now turned its attention to cybersecurity and more especially the lack thereof. It's certainly dangerous enough to merit attention. A proposed Cyber Resilience Act (CRA) making its way through Brussels says that for "products with digital elements" to be allowed on the EU market, manufacturers have to demonstrate they follow best practice in four areas. These are improving the security of a product through the whole life cycle, following a coherent cybersecurity framework to measure compliance, demonstrate transparency about cybersecurity efforts, and lastly to make sure customers can use products securely. 

Which sounds fair enough, considering some of the horrors visited upon us in the past – and today. Cheap "smart" electronics running out-of-date Android that nobody's patched since Noah? Phones studded with "I bring you the best wishes of the People's Liberation Army" mystery-meat bloatware? Big name, big ticket office software that keeps making headlines for all the wrong reasons? Who could argue with bringing these into line?

There are just two questions that need to be answered: will the proposed regulations do the job they set out to do, and what effect will they have on the market? Here, it's not so much the devil in the details as the entire population of all seven layers of Dante's Inferno. 

The effect on the market, according to the EU's own risk assessment,  will be to cost some €29 billion, but with €180-290 billion saved through not having to deal with cybersecurity incidents. Exactly what counts as "products with a digital element" has been and is furiously debated, with the CRA dividing relevant software up into two categories of different importance and excluding – at the time of writing – software-as-a-service altogether.

SaaS is hotly disputed, with different EU countries taking differing stances on whether it can or should be regulated. What if a product has a chunk of software built in that talks to SaaS through an API? Will this drive more products into subscription models, taking them out of regulatory scope and into a bad revenue model for users?

But FOSS is in the most danger. The underlying assumption of the regulation is that cybersecurity exists in the digital market like fire resistance does in that for soft furnishings. Putting regulatory cost burdens on a part of the market with no revenue and no gatekeeping on its distribution channels cannot work; there are no prices to increase to absorb compliance costs and no tap to turn off to keep the stuff off the market.

• Bill shock? The red ink of web services doesn't come out of the blue
• Time to study the classics: Vintage tech is the future of enterprise IT
• Disruptive innovation's like a party. It's always happening elsewhere
• Citizen Coder? Happiness Concierge? Here come 2023's business cards

And FOSS can't be outlawed. To re-engineer infrastructure and applications to exclude it would be unthinkably expensive and undoubtedly vastly destabilizing for cybersecurity resilience. To allow grandfathering – allowing pre-regulatory software components to continue to be used but demand compliance if new or updated – would freeze the sector to death. And what "cybersecurity framework" would catch the sort of errors that currently only appear after intensive analysis by the few teams of good and bad hats who are already fully employed for better or worse on a tiny percentage of extant software.

The EU as a whole, and many of its member states in particular, has been very pro-FOSS, seeing it as a way to disrupt de facto non-European software monopolies and encouraging diversity and transparency. The CRA draft even exempts FOSS from compliance – but only if no commercial use is made of it, including things like technical support and as part of monetized services. That breaks so many funding models for FOSS it's not even funny. 

The principle of regulating digital products to make vendors take responsibility for cybersecurity is excellent but it demands proportionality. FOSS that is absolutely free of commercial interest isn't somehow more secure than one where you can buy a support contract. A far more general exemption that recognizes the intrinsic security advantages of software that is automatically transparent makes far more sense.

The bad news is that the period for official feedback on the CRA has just closed. The good news is that there's been a lot of feedback and the debate is far from over. Take the time to read a solid analysis or two – and if you're sensible enough to live in a EU member state, engage your MEP. No point in having a democracy if you don't use it. ®