Second version, taking into account feedback. Looking for seconds at
this point:
----- GENERAL RESOLUTION STARTS -----
Debian Public Statement about the EU Cyber Resilience Act and the
Product Liability Directive
The European Union is currently preparing a regulation "on horizontal
cybersecurity requirements for products with digital elements" known as
the Cyber Resilience Act (CRA). It's currently in the final "trilogue"
phase of the legislative process. The act includes a set of essential
cybersecurity and vulnerability handling requirements for manufacturers.
It will require products to be accompanied by information and
instructions to the user. Manufacturers will need to perform risk
assessments and produce technical documentation and for critical
components, have third-party audits conducted. Security issues under
active exploitation will have to be reported to European authorities
within 24 hours (1). The CRA will be followed up by an update to the
existing Product Liability Directive (PLD) which, among other things,
will introduce the requirement for products on the market using software
to be able to receive updates to address security vulnerabilities.
Given the current state of the electronics and computing devices market,
constellated with too many irresponsible vendors not taking taking
enough precautions to ensure and maintain the security of their products,
resulting in grave issues such as the plague of ransomware (that, among
other things, has often caused public services to be severely hampered or
shut down entirely, across the European Union and beyond, to the
detriment of its citizens), the Debian project welcomes this initiative
and supports its spirit and intent.
The Debian project believes Free and Open Source Software Projects to be
very well positioned to respond to modern challenges around security and
accountability that these regulations aim to improve for products
commercialized on the Single Market. Debian is well known for its
security track record through practices of responsible disclosure and
coordination with upstream developers and other Free and Open Source
Software projects. The project aims to live up to the commitment made in
the Debian Social Contract: "We will not hide problems." (2)
The Debian project welcomes the attempt of the legislators to ensure
that the development of Free and Open Source Software is not negatively
affected by these regulations, as clearly expressed by the European
Commission in response to stakeholders' requests (1) and as stated in
Recital 10 of the preamble to the CRA:
'In order not to hamper innovation or research, free and open-source
software developed or supplied outside the course of a commercial
activity should not be covered by this Regulation.'
The Debian project however notes that not enough emphasis has been
employed in all parts of these regulations to clearly exonerate Free
and Open Source Software developers and maintainers from being subject
to the same liabilities as commercial vendors, which has caused
uncertainty and worry among such stakeholders.
Therefore, the Debian project asks the legislators to enhance the
text of these regulations to clarify beyond any reasonable doubt that
Free and Open Source Software developers and contributors are not going
to be treated as commercial vendors in the exercise of their duties when
merely developing and publishing Free and Open Source Software, with
special emphasis on clarifying grey areas, such as donations,
contributions from commercial companies and developing Free and Open
Source Software that may be later commercialised by a commercial vendor.
It is fundamental for the interests of the European Union itself that
Free and Open Source Software development can continue to thrive and
produce high quality software components, applications and operating
systems, and this can only happen if Free and Open Source Software
developers and contributors can continue to work on these projects as
they have been doing before these new regulations, especially but not
exclusively in the context of nonprofit organizations, without being
encumbered by legal requirements that are only appropriate for
commercial companies and enterprises.