EU Cyber Resilience Act

In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software.

1 Like

This seems very confusing and complex to me to be honest. Maybe someone with more expertise in the filed can explain what this is about.


I have not been able to read and understand it, and I hope that someone can explain it properly.

But the general idea seems to be that digital services and products have to be certified that they are safe and secure for the users. Certification means that they have to comply with certain rules and regulations, and somebody has to check and verify that they do actually comply.

For example, in the construction business you have to follow certain rules, to ensure that the buildings are resistant to possible earthquakes. Then, before you start marketing the apartments, somebody has to check and certify that these rules have been followed properly. This is in general a good practice for protecting the public, despite the fact that sometimes the corruption may circumvent proper certification (thinking that an earthquake will never happen, or it will happen too far in the future).

Because the certification process is costly, this may become a barrier for free software that is distributed for free (an does not have a business model). So, this kind of software is not covered by these regulation rules, in order not to hamper innovation. But if someone takes this software and tries to sell it to people, either as a product or as a service, they have to do the certification.

This legislation is still a proposal and it is still being discussed and amended by the interested parties.