EU's proposed Cyber Resilience Act
14 views
Skip to first unread message
Desiree Miloshevic
Jan 17, 2023, 2:35:06 PM1/17/23
to haklab
Pozdrav
Evropa predlaze novu regulativu Cyber Resilience Act koji se ticu sertifikacije softvera.
Ako vas interesuje pravna buducnost razvoja Open Source-a i OS zajednice u Evropi, u prilogu je
komentar tehnicke zajednice RIPE - koja predlaze da se iz regulative izostavi open source software
koji je razvijen van komercijalnih aktivnosti, kao i onaj koje je razvijan u sklopu komercijalnih aktivnosti.
Dez
---
--********In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach.As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet.While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform.The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means.Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development.For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union.We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union.For a more detailed discussion of these concerns within the technical community, please consult the following:The EU’s Proposed Cyber Resilience Act Will Damage the Open Source EcosystemOlaf Kolkman, Internet SocietyOpen-source software vs. the proposed Cyber Resilience ActNLnet LabsCyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)Maarten AertsenICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a HeadacheLars-Johan Liman, NetnodArchive of discussion on RIPE Cooperation mailing list********
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
wis...@gmail.com
Jan 18, 2023, 1:21:54 AM1/18/23
to haklab
Podržavam ovaj stav RIPE-a i podsećam da su, uz par izuzetaka, sve internet/cyberspace/crypto regulative koje donose države i državne unije po svetu dobrim delom ili u celini u suprotnosti sa Deklaracijom o nezavisnosti sajber-prostora.
Sa druge strane, na fundamentalno pitanje, ko će biti odgovoran za kriminalne aktivnosti u sajber-prostoru i realnosti u decentralizovanim okolnostima, i dalje nema odgovora.
Joost van Baal-Ilić
Jan 18, 2023, 1:37:13 AM1/18/23
to Desiree Miloshevic, haklab
Hvala! Link to archive post, for e.g. sharing on social media, is @
https://www.ripe.net/ripe/mail/archives/cooperation-wg/2023-January/001641.html
Cao,
Joost
On Tue, Jan 17, 2023 at 08:35:01PM +0100, Desiree Miloshevic wrote:
> Pozdrav
>
> Evropa predlaze novu regulativu Cyber Resilience Act koji se ticu sertifikacije softvera.
>
> Ako vas interesuje pravna buducnost razvoja Open Source-a i OS zajednice u Evropi, u prilogu je
> komentar tehnicke zajednice RIPE - koja predlaze da se iz regulative izostavi open source software
> koji je razvijen van komercijalnih aktivnosti, kao i onaj koje je razvijan u sklopu komercijalnih aktivnosti.
>
>
> Dez
> ---
> >
> > https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en>
> You received this message because you are subscribed to the Google Groups "haklab" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to haklab+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/haklab/0DCD25F2-3207-4536-B331-52E9ECD4A6A1%40gmail.com.
https://www.ripe.net/ripe/mail/archives/cooperation-wg/2023-January/001641.html
Cao,
Joost
On Tue, Jan 17, 2023 at 08:35:01PM +0100, Desiree Miloshevic wrote:
> Pozdrav
>
> Evropa predlaze novu regulativu Cyber Resilience Act koji se ticu sertifikacije softvera.
>
> Ako vas interesuje pravna buducnost razvoja Open Source-a i OS zajednice u Evropi, u prilogu je
> komentar tehnicke zajednice RIPE - koja predlaze da se iz regulative izostavi open source software
> koji je razvijen van komercijalnih aktivnosti, kao i onaj koje je razvijan u sklopu komercijalnih aktivnosti.
>
>
> Dez
> ---
> >
> >
> > ********
> > In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach.
> >
> > As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet.
> >
> > While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform.
> >
> > The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means.
> >
> > Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development.
> >
> > For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union.
> >
> > We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union.
> >
> > For a more detailed discussion of these concerns within the technical community, please consult the following:
> >
> > The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem
> > Olaf Kolkman, Internet Society
> > https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/ <https://www.internetsociety.org/blog/2022/10/the-eus-proposed-cyber-resilience-act-will-damage-the-open-source-ecosystem/>
> > ********
> > In addition to the above analysis regarding the CRA’s impact on our own operations, we would like to note several broader concerns that have been discussed within the RIPE community. We do so in our role as secretariat for RIPE, which is an open, inclusive community that welcomes the participation of anyone with an interest in IP-based networking. It is this community that develops policies around the allocation and distribution of Internet number resources (IP addresses and Autonomous Systems) within the RIPE NCC’s service region of Europe, the Middle East and parts of Central Asia, and it is the role of the RIPE NCC to implement these policies, which are developed via a consensus-based, multistakeholder approach.
> >
> > As such, we feel it is important to highlight some of the feedback we’ve heard from the RIPE community at recent RIPE Meetings and on various RIPE mailing lists regarding the potential impact the CRA could have on the open-source community and the development of open-source software and services that play an essential role in the functioning of the open, global Internet.
> >
> > While the European technical community has welcomed the exception for open-source software provided by the proposed text, the exemption applies only to open-source software that is “developed or supplied outside the course of a commercial activity”. This wording leaves a lot of room for interpretation as to what, precisely, constitutes commercial activity, especially when taking into consideration the fact that charging for technical support services is considered commercial activity, as is the monetisation of other services provided via a software-sharing platform.
> >
> > The RIPE community has pointed out that open-source developers often don’t work for an established organisation and are not paid for their efforts in developing software, but may well earn money by contributing support services. As such, the CRA could place undue burden on these developers, who oftentimes contribute to open-source projects as a hobby and for the “good of the Internet”, and who will simply be unable to follow and comply with complex regulatory measures. Alternatively, several not-for-profit organisations contribute open-source software that is widely used by technical operators around the world, yet the definition of commercial activity makes it unclear whether these organisations would be exempt from the CRA or would fall under scope depending on how their software development is funded, whether via a membership, sponsorship, donations or other means.
> >
> > Another concern is that, while larger organisations will be able to afford certification and compliance, smaller players may well be priced out of the market, thereby decreasing competition and innovation — which would move the EU further away from its stated goals, rather than help achieve them. Open-source software developers may simply decide that the cost of compliance within the EU is too high or that the lack of legal clarity is not worth the hassle, which could lead them to placing geographical restrictions on their products. While this may result in better harmonisation within the EU, it would also reduce the availability of open-source software within the EU and would create a more fractured global landscape, which would again be counter to the EU’s ambitions and its recognition of the important role that open-source software development plays in furthering innovation and supporting Internet development.
> >
> > For these reasons, we would urge the European Commission, on behalf of the RIPE community, to further clarify what is meant by “the course of a commercial activity” and to do so with the aim of encouraging and strengthening open-source developers for the common good of the Internet and the European Union.
> >
> > We would also encourage the European Commission to work directly with the open source community and the RIPE community, as a source of technical expertise, when developing proposals for regulatory measures that will have a significant impact on the technical community, the technical operation of the Internet and the Internet landscape within the European Union.
> >
> > For a more detailed discussion of these concerns within the technical community, please consult the following:
> >
> > The EU’s Proposed Cyber Resilience Act Will Damage the Open Source Ecosystem
> > Olaf Kolkman, Internet Society
> >
> > Open-source software vs. the proposed Cyber Resilience Act
> > NLnet Labs
> > https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do <https://blog.nlnetlabs.nl/open-source-software-vs-the-cyber-resilience-act/#this-is-what-you-can-do>
> > Open-source software vs. the proposed Cyber Resilience Act
> > NLnet Labs
> >
> > Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)
> > Maarten Aertsen
> > https://ripe85.ripe.net/archives/video/911/ <https://ripe85.ripe.net/archives/video/911/>
> > Cyber Resilience Act Effects on OSS (presentation at RIPE 85 Meeting)
> > Maarten Aertsen
> >
> > ICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a Headache
> > Lars-Johan Liman, Netnod
> > https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might <https://features.icann.org/event/icann-organization/icann-training-series-nordic-region-why-some-internet-legislation-might>
> > ICANN Training Series - Nordic Region: Why some Internet Legislation Might Cause a Headache
> > Lars-Johan Liman, Netnod
> >
> > Archive of discussion on RIPE Cooperation mailing list
> > https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html <https://www.ripe.net/ripe/mail/archives/cooperation-wg/2022-October/001609.html>
> > Archive of discussion on RIPE Cooperation mailing list
> >
> > ********
> > --
> >
> > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
>
> --
> > ********
> > --
> >
> > To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/cooperation-wg
>
> You received this message because you are subscribed to the Google Groups "haklab" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to haklab+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/haklab/0DCD25F2-3207-4536-B331-52E9ECD4A6A1%40gmail.com.
Desiree Miloshevic
Jan 18, 2023, 1:22:07 PM1/18/23
to wis...@gmail.com, haklab
Hvala na izjasnjenom stavu podrske za RiPE dopis. Joost - hvala za pun link.
JPB deklaraciju o nezavisnosti cyberprostora nazalost niti jedna drzava (weary giant) nije potpisala, jer nije ni pozvana da potpise. :) Tvoja poruka dokazuje, da duh nikad nece biti zaboravljen barem od strane netizena.
Dez
--
--
You received this message because you are subscribed to the Google Groups "haklab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to haklab+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/haklab/4b7eb1d1-7f69-44b4-b1e9-b8cd319e5fc1n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages