Remember when we wrote about the EU preparing its Cyber Resilience Act (CRA), a European law about hardware and software? We were really concerned about the way it would affect Joomla and other open source software. Well… there's news.

First, a brief summary of what this is all about. The idea of the CRA is to regulate software and hardware security in the European Union to protect users (both business and consumers). Products in the EU should have less vulnerabilities, a transparent and clear security process, and their manufacturers should be responsible for the security of the product throughout its lifecycle.

What was the major concern?

The 2022 draft of the CRA stated that the regulations don't apply to free and open source software developed or supplied outside the course of a commercial activity.

So far, so good. But further on, it had a very broad and unclear definition of ‘commercial activity', which implied that if money could be made with your software, everyone contributing to that software could be held responsible for its security. And that didn't look good for us; everywhere in our ecosystem, people are making money with Joomla. 

So the CRA could have a large impact on Free and Open Source Software. This is why the four major CMS (Drupal, Joomla, Typo3 and WordPress) got together to see if they could do something about this. They sent a joint Open Letter to EU legislators (July 25, 2023) and organized a joint webinar on August 2, 2023 to explain the CRA and share their concerns to their communities. 

What changed?

The Commission, Parliament and Council have agreed to an important clarification: "the provision of free and open-source software products with digital elements that are not monetised by their manufacturers is not considered a commercial activity". 

And: "The mere circumstances under which the product has been developed, or how the development has been financed should therefore not be taken into account when determining the commercial or non-commercial nature of [making free and open-source software available on the market." 

This clarification puts us right where we belong: our software is "supplied outside the course of a commercial activity", so we're Open Source, and therefore the CRA won't affect us as Joomla.

Anything else?

Yes. Because while Joomla is clearly not considered a commercial activity, extension developers who charge money for their extensions are. If you're an extension developer, you're probably already doing everything in your power to make sure your extensions are safe and secure. Keep doing that, and make sure to familiarize yourself with the content of the CRA.

When is this going to happen?

The Cyber Resilience Act is planned to come into force in the beginning of 2024 (!), and software manufacturers have 36 months to apply the rules after that. Check the CRA Fact sheet to get an overview.