Joomla and the EU Cyber Resilience Act
You may have heard of it already: the EU is preparing its Cyber Resilience Act (CRA), a European law about hardware and software. This CRA is coming our way, and it affects Joomla and other open source software.
In fact, the impact on Free and Open Source Software could be so large and significant that the four major CMS (Drupal, Joomla, Typo3 and WordPress) decided to work together to do something about this. First steps in this collaboration were a joint Open Letter to EU legislators (July 25, 2023) and a joint webinar on August 2, 2023. During this webinar, Crystal Dionysopoulos (Joomla), Tim Doyle (Drupal), Mathias Bolt Lesniak (Typo3), Josepha Haden Chomphosy (WordPress) and Ciarán O'Riordan (Open Forum Europe) explained the CRA, along with their concerns, to their communities (500 people registered for that).
What’s the idea of the CRA?
The intention of the CRA is to regulate software and hardware cybersecurity in the EU. The CRA wants to protect business users and consumers, by ensuring products in the EU have fewer vulnerabilities, the security process is transparent and clear, and manufacturers are responsible for the cybersecurity of a product throughout its lifecycle.
Wait a minute, you say ‘manufacturers’?
We’ll come to that later.
OK, back to the intention then. It’s a good intention, right? We’re all for secure and safe software. We’re pretty much the safest CMS in the world! We should totally back this CRA!
Yes. And we fully agree with the intentions. In fact, the intentions of the CRA are in line with the standards of Free and Open Source Software.
Then why this fuss? What in the CRA is so important we need to form an alliance with our competitors? Because we’ve never done that before, that’s for sure.
This is indeed the first time the four major Content Management Systems (Drupal, Joomla, Typo3 and WordPress), together powering 50% of all European websites, work together.
We have a lot in common, actually. We all work under a GPL license, we’re all PHP based, we’re community-focused and we all have over 18 years of experience. Each one of us is a not-for-profit organization, we rely on corporate contributions, we’re volunteer-driven and our products mostly power small businesses. Together we’re strong!
So, to answer your question: it’s not the CRA itself, it’s the wording. The way it’s written doesn’t show a very clear understanding of what Open Source Software actually is and how it’s developed, and that results in parts of the CRA being potentially damaging for all of us and could eventually result in software that’s less safe instead of safer.
That doesn’t sound good at all. What are the main concerns?
First, there’s this part:
In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.
It is totally unclear what this means. The definition of ‘commercial activity’ is way too broad and very unclear. People make money by using our software to create or maintain websites, or by developing extensions. In this definition, this could easily count as commercial activity. Would the CRA apply to us in that case? And is there any Free and Open Source Software at all that meets these commercial activity criteria? Every CMS ecosystem needs money to even exist.
Second, there’s a notion about ‘unfinished software’. The rule only exempts unfinished software that is only available for testing purposes and not available on the market. Such language ignores the reality of modern software development which promotes releases of software to get more feedback.
And our third concern answers your question about manufacturers. The rule applies the principle that a manufacturer of a product is liable for its lack of safety to software security. Which is a bit different in our situation, because, well, we don’t have a single ‘manufacturer’. That’s what open source is all about. And if there’s not a single manufacturer, who would be responsible for bugs and security risks? You guessed it: every single developer who has contributed to the Joomla code. This could make the inclusion of FOSS in E.U. software solutions unworkable.
So what you’re basically saying is we could all get huge penalties if a security issue in Joomla causes trouble somewhere?
In theory: yes. We could face legal liability for vulnerabilities. And not only that.
The CRA could impact our projects and the open source ecosystem as a whole.
Non-profit associations/organizations could be categorized as ‘commercial’ and be
forced to comply with a standard that limits our open source way of life. The limit or prevention to make early version releases (alpha & beta versions) could make development a lot more difficult.
Contributing (by volunteers, people who get paid, or sponsored) may become more complicated to remain compliant with CRA requirements. Our broader communities (web agencies, extension developers, etc) and small companies/products might all of a sudden have to comply with CE marking requirements.
That would certainly get the fun out of contributing. How can we stop this thing from happening?
We can’t, and that’s not what we want.
We want to make sure the people who are responsible for the CRA understand how Open Source Software works and how the wording should be changed to make it clearer for everyone.
How are we going to do that?
We will continue to work together to make this happen. The webinar on August 2nd was the first step in informing our communities.
Since Open Source will be included one way or another, the best way to minimize negative impact is to work with the EU constructively. So that’s what we’ll do. We have written an Open Letter addressed to EU legislators (read it here: https://www.joomla.org/announcements/general-news/5891-open-letter-foss-cms-cyber-resilience-act.html), and we proactively offer open-source-first language and best practices that will (hopefully) influence the final wording of the CRA.
We are going to organize a seminar in Brussels to discuss with legislators in person about the nature of open source projects and communities. This seminar will take place in September/October 2023.
How can I help?
Talk about this. Write about this. Make videos about this. Lobby. Spread the word! Sharing this article on your socials might be a good start 🙂
It would also be really helpful if you could share some suggestions for good security practices for open source projects, for core as well as extension development, so we can suggest concrete ideas to legislators.
Feel free to comment below or share in the dedicated Mattermost channel: https://joomlacommunity.cloud.mattermost.com/main/channels/cyber-resilience-act (not on Mattermost yet? Come join us! Here’s how: https://magazine.joomla.org/all-issues/november-2022/getting-the-most-out-of-mattermost .