Dear colleagues,
The RIPE NCC is preparing its response to the proposed Cyber Resilience Act,
which will detail how we see the regulation impacting our own operations,
particularly in light of RIPE Atlas and RPKI and the further need for
clarification we see around a number of definitions and points in the current
proposal.
In addition to our own impact analysis, we’d like to highlight the fact that
we’ve also heard feedback on the proposal from within the RIPE community. I’ve
drafted a summary of that feedback below, which we intend to include in our
submission to the European Commission.
If you’re interested in this topic, I would be happy to hear whether you feel
I’ve captured the major concerns accurately or whether any major points are
missing.
I know that some of you are also preparing your own submissions, which I highly
encourage. After some back and forth, the deadline for contributions was set to
23 January:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en
<https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en>
Thank you,
Suzanne
********
In addition to the above analysis regarding the CRA’s impact on our own
operations, we would like to note several broader concerns that have been
discussed within the RIPE community. We do so in our role as secretariat for
RIPE, which is an open, inclusive community that welcomes the participation of
anyone with an interest in IP-based networking. It is this community that
develops policies around the allocation and distribution of Internet number
resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service
region of Europe, the Middle East and parts of Central Asia, and it is the role
of the RIPE NCC to implement these policies, which are developed via a
consensus-based, multistakeholder approach.
As such, we feel it is important to highlight some of the feedback we’ve heard
from the RIPE community at recent RIPE Meetings and on various RIPE mailing
lists regarding the potential impact the CRA could have on the open-source
community and the development of open-source software and services that play an
essential role in the functioning of the open, global Internet.
While the European technical community has welcomed the exception for
open-source software provided by the proposed text, the exemption applies only
to open-source software that is “developed or supplied outside the course of a
commercial activity”. This wording leaves a lot of room for interpretation as
to what, precisely, constitutes commercial activity, especially when taking
into consideration the fact that charging for technical support services is
considered commercial activity, as is the monetisation of other services
provided via a software-sharing platform.
The RIPE community has pointed out that open-source developers often don’t work
for an established organisation and are not paid for their efforts in
developing software, but may well earn money by contributing support services.
As such, the CRA could place undue burden on these developers, who oftentimes
contribute to open-source projects as a hobby and for the “good of the
Internet”, and who will simply be unable to follow and comply with complex
regulatory measures. Alternatively, several not-for-profit organisations
contribute open-source software that is widely used by technical operators
around the world, yet the definition of commercial activity makes it unclear
whether these organisations would be exempt from the CRA or would fall under
scope depending on how their software development is funded, whether via a
membership, sponsorship, donations or other means.
Another concern is that, while larger organisations will be able to afford
certification and compliance, smaller players may well be priced out of the
market, thereby decreasing competition and innovation — which would move the EU
further away from its stated goals, rather than help achieve them. Open-source
software developers may simply decide that the cost of compliance within the EU
is too high or that the lack of legal clarity is not worth the hassle, which
could lead them to placing geographical restrictions on their products. While
this may result in better harmonisation within the EU, it would also reduce the
availability of open-source software within the EU and would create a more
fractured global landscape, which would again be counter to the EU’s ambitions
and its recognition of the important role that open-source software development
plays in furthering innovation and supporting Internet development.
For these reasons, we would urge the European Commission, on behalf of the RIPE
community, to further clarify what is meant by “the course of a commercial
activity” and to do so with the aim of encouraging and strengthening
open-source developers for the common good of the Internet and the European
Union.
We would also encourage the European Commission to work directly with the open
source community and the RIPE community, as a source of technical expertise,
when developing proposals for regulatory measures that will have a significant
impact on the technical community, the technical operation of the Internet and
the Internet landscape within the European Union.
For a more detailed discussion of these concerns within the technical
community, please consult the following:
The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem
Olaf Kolkman, Internet Society
https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/
<https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/>
Open-source software vs. the proposed Cyber Resilience Act
NLnet Labs
https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do
<https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do>
Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)
Maarten Aertsen
https://ripe85.ripe.net/archives/video/911/
<https://ripe85.ripe.net/archives/video/911/>
ICANN Training Series - Nordic Region: Why some Internet Legislation Might
Cause a Headache
Lars-Johan Liman, Netnod
https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might
<https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might>
Archive of discussion on RIPE Cooperation mailing list
https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html
<https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html>
********
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/cooperation-wg