Partnering with EU policymakers to ensure the Cyber Resilience Act works for developers

The European Union's proposed Cyber Resilience Act, introduced by the European Commission, aims to enhance cybersecurity by requiring companies to ship and maintain secure software products, with a particular focus on critical products like web browsers and VPNs. The Act proposes exemptions for non-commercial open source software, but defining the scope of these exemptions is complex due to the diverse contexts in which open source is developed and maintained. GitHub and the open source community suggest that the Act should focus on finished, paid products and provide clarity to ensure open source software that is not monetized remains exempt, thus supporting the collaborative development and distribution platforms crucial to digital infrastructure. European Commission research underscores the economic impact of open source, contributing significantly to the EU's GDP, and the German government's Sovereign Tech Fund exemplifies direct governmental support for open source projects. As the legislation evolves, GitHub is actively engaging with EU policymakers and the developer community to refine the Act and enhance cyber resilience, emphasizing the need for models that integrate government support with multi-stakeholder initiatives like OpenSSF for securing digital commons.