EU Parlament is threatening Open Source industry with the Cyber Resilience Act

This validates my thesis that asking governments for help is not a good idea, when looking for solutions for boosting Innovation and helping knowledge-based industries to grow. Successful Free Open Source Projects are the result of spontaneous action from motivated individuals and enthusiastic communities.

In contrast, the Cyber Resilience Act would create an elitist environment that only could favor big corporations and government agencies to the detriment of the welfare of online communities and independent researchers.

The concerns about the impact of such unnecessary regulations are expressed in these articles:

“Putting regulatory cost burdens on a part of the market with no revenue and no gatekeeping on its distribution channels cannot work; there are no prices to increase to absorb compliance costs and no tap to turn off to keep the stuff off the market. And FOSS can’t be outlawed. To re-engineer infrastructure and applications to exclude it would be unthinkably expensive and undoubtedly vastly destabilizing for cybersecurity resilience. To allow grandfathering – allowing pre-regulatory software components to continue to be used but demand compliance if new or updated – would freeze the sector to death.”

“The question is though: how can free software developers afford the cost of compliance, when lack of funding is already a critical issue for many projects? Mike Milinkovich, director of the Eclipse Foundation, said it is “deeply concerned that the CRA could fundamentally alter the social contract which underpins the entire open source ecosystem: open source software provided for free, for any purpose, which can be modified and further distributed for free, but without warranty or liability to the authors, contributors, or open source distributors.”

To get some clarity let me decouple Open Source (person writes code and shares it under OSI license or public domain) from Open Source Layer 2 (additional gameplay on top).

Question no.1. Does EU want to replace OS with OSL2?

Question no.2. Does EU OSL2 model include obligation to guarantee well-being of maintainers as a compensation for compliance overhead?