The "Software Police" Are Coming: Why Open Source Is Terrified of the EU's New Laws
In recent years, the open-source community has watched the legislative horizon with growing dread. While governments publicly praise “innovation” and “digital sovereignty,” two massive pieces of EU legislation—the Cyber Resilience Act (CRA) and the Product Liability Directive (PLD) – are set to rewrite the rules of software.
The goal of these laws is admirable: to force manufacturers to build more secure software and to make them liable when data breaches hurt consumers. But there is a catch. The internet wasn’t built by manufacturers. The vast majority of its critical infrastructure from the encryption that protects your bank account to the server software running the NHS is built by volunteers, academics, and small, independent projects.
For decades, this community has operated under a simple pact;
The code is free to use, but it is provided ‘As Is,’ with no warranty and no liability.
This new legislation attempts to shred that pact, treating open-source volunteers as if they were Apple or Microsoft. The result is a looming disaster for open source, innovation, and digital freedom.
The Cyber Resilience Act (CRA): Software Needs a CE Mark?
The CRA (often combined with the Cyber Solidarity Act) introduces mandatory security requirements for any “product with digital elements” sold in the EU. In short, it demands that software receive a CE mark—just like a physical toaster or a children’s toy—before it can be “placed on the market.”
The Problem: What does “On the Market” mean?
This is the single biggest question that is currently causing panic. Open-source developers do not typically “place software on the market.” They publish code to a public repository (like GitHub). Under the CRA, if a piece of open-source software is used by a company (even if the developer didn’t know or approve), the original developer could be defined as a “manufacturer.”
The Consequences
- Mandatory Certification
If you maintain a popular open-source library, you could be legally required to perform complex risk assessments, undergo third-party audits, and maintain exhaustive technical documentation—all at your own considerable expense. - Strict Deadlines
If a vulnerability is found in your code, the CRA mandates that you patch it and report it to a government agency within 24 hours. - Massive Fines
Failure to comply can result in fines of up to €15 million or 2.5% of total global turnover (even if that turnover is zero).
For a small team of volunteers running a project for free, this is an impossible bureaucratic and financial hurdle.
The Product Liability Directive (PLD): Who Pays When Code Breaks?
While the CRA focuses on the rules of placing software on the market, the PLD focuses on who is responsible when things go wrong.
The updated PLD is trying to treat software as a physical product rather than a service. This means that if a security vulnerability in a “product” (like a web browser or an smart home hub) causes you to lose your data, the “manufacturer” is strictly liable for the damages.
The Problem – The “Supply Chain” Trick
If you build a smart light bulb and use free open-source code for its networking chip, and that light bulb causes a data leak, the consumer might sue you. Under the new PLD, you (the manufacturer) are incentivised to turn around and sue the open-source developer who built the networking code you used for free.
The Consequences
Open-source developers have always built in public on the understanding that they are providing knowledge, not a product with a guarantee. By erasing the distinction between software and physical products, the PLD is treating volunteers like they are manufacturing faulty brake pads.
The Final Outlook: "Let It Rot" or "Get Big"?
The open-source community isn’t just “complaining” about paperwork. They are raising the alarm because this legislation threatens the existence of independent software development.
If these laws are enforced as currently drafted:
- Independent Projects Shut Down
Maintainers will simply archive their repositories and delete their code (“Let It Rot”). The legal risk of helping others for free will be too high. - The “Big Tech” Monopoly Is Cemented
Only giant corporations (like Meta, Google, or Microsoft) can afford the compliance costs, security audits, and legal insurance that the CRA and PLD demand. Open innovation dies. - Europe Is Blacklisted
To avoid legal liability, many developers will simply add a single line to their license: “NOT FOR USE IN THE EU.” This will starve European businesses and governments of the very innovation they claim to want.
By attempting to police “software quality” using tools designed for physical products, the state is making independent coding criminal by proxy. If they force the volunteers to quit, they will look back and realize they destroyed the foundation of the digital world, all in the name of making it “safe.”
Attribution: This explanation of the CRA and PLD was generated by Gemini (Google’s AI) in collaboration with the maintainers of this site to clarify the real-world impact of upcoming software legislation.
Now before you get too comfortable because we’re no longer in the EU, you should be aware that many of the promises made when the UK left the EU haven’t exactly been honoured in the way you might have expected. In this context, as you may have heard from ministers via the TV in recent times, the UK is trying to adopt parallel laws to make interactions and compliance with the EU easier (!)
So apparently in the UK we now have the Cyber Security and Resilience Bill which finished committee stage in February. As this is billed as “essential to national security” and has cross-party support the chances of adoption seem to be 99%+.
There is also the Software Security Code of Practice, which is the UK’s answer to the PLD. Now apparently (!) this is already in play, but on a “voluntary” basis. “That’s Ok” I hear you say, it’s just “voluntary”. Gemini seems to think that in English Common Law, once a “Code of Practice” exists, it becomes the benchmark for negligence, so in context “voluntary” is really all they need to get the same overall effect.
