Umbraco’s position on the Cyber Resilience Act

Umbracos position on the Cyber Resilience Act

We at Umbraco are concerned that the Cyber Resilience Act (CRA) proposed by the European Commission may harm the wider Open-Source Software (OSS) ecosystem as we know it. More specifically, we are concerned that the CRA will interfere with the fine balance that exists between many open-source projects and the consumers of OSS.

We urge legislators to take OSS and the communities surrounding it into account in the CRA and that legislators should be careful not to inadvertently hurt OSS development by introducing liability on contributors who are creating free software that could potentially become part of, what in the CRA draft is loosely defined as, “commercial activities''. 

Umbraco and Open Source Software

Umbraco’s own software license (MIT) remains true to the fact that anyone without limitation has the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software. For Umbraco A/S, CRA poses no direct threat as the software is consistently maintained by Umbraco A/S and over the years has grown and matured organisationally and financially. 

We are, however, worried about what the CRA will mean to the willingness to contribute, within the Umbraco community as well as in other OSS communities.

Open-source development is a win/win relationship for everyone involved

Contributors to OOS contribute for many reasons. What is common for all contributors and OSS projects is that they operate in a win/win relationship where all parties benefit from coming together around a project. Some contributors want to share their ideas with like-minded people, some want to be an active part of projects that are bigger than what they could build on their own. Some create packages that can be used commercially, some of which are free of charge, and some are not.

Some contributors do this work in their spare time, some during work hours and some are making a small profit from being involved in one or more OSS projects.

A melting pot of relationships, tech talent, innovation, and fun

If there is one thing we have learned from the community around Umbraco, it is that the communities that can arise around open-source projects, connect people. Often across large distances. People with shared interests can exchange ideas with people from different cultures around the world and create new innovative solutions that wouldn’t have been possible without this shared interest in collaborating on an open-source project. In marketing terms, this is called “outside-in”.

Contributors develop a network of like-minded people and we’ve seen many cases of these connections developing into professional relations, mentor-mentee connections, and often also new friendships.  Ideas for add-on products have occurred and we have happily seen how people can start collaborating on products that connect to Umbraco and making them available for anyone to use. Some even make a profit from their work. And of course, the open-source project Umbraco benefits from this by having valuable additions added to the ecosystem around Umbraco in the aforementioned win/win relationship.

The open-source way of developing software, and the open-source way of thinking in general, is very important to us at Umbraco. Through many years we have seen the positive impact of having skilled and passionate community members connect with each other and with us at Umbraco HQ, creating solutions that didn’t exist before and making them available to the world. And we wish to see this continue.

The CRA can undermine the win/win relationship between contributors and OSS

While the ideas contained in the CRA are generally good, the CRA as it is phrased now might deter people from creating products or add-ons that connect to open-source projects.

OSS that is free to use and distribute is exempted from the legislation outlined in the CRA unless it is used in relation to what is referred to as: “commercial activity”. A somewhat loosely defined term that leads to more questions than answers, including how downstream implementations of a free OSS product in a commercial solution will impact its original creator. 

Donations, another regular occurrence within the OSS communities may or may not be classified as “commercial activity” and no clear guidance or thresholds related to donation sizes are defined in the current CRA draft.

The balance in the win/win relationship mentioned earlier is at risk of being threatened by this one uncertain definition regarding what is and isn’t considered “commercial activity”. The risk that this places upon OSS contributors and license holders is what we are particularly worried about, specifically how this may affect people's willingness and ability to participate in the development and expansion of new and/or existing OSS projects as they might not have the chance or organizational backbone to fulfill the new legal obligations from the CRA.

Clarification is needed from legislators

We urge that legislators seek to preserve the balance in the win/win relationship that exists between contributors and OSS projects and clarify that individuals who make their add-ons and contributions available for anyone to use are not at risk of becoming liable for how their contributions are later implemented as parts of commercial solutions.

If not, it is our prediction that contributors to European open-source projects will either have to create licensing that only permits the use of their software outside of the EU, or even worse, they will stop creating new projects entirely. The innovation and development of tech talent that happens within these communities and OSS projects will fade, which will eventually leave the market to the big established software companies most of which are based outside of the EU.

Other open-source initiatives have similar concerns

Umbraco is not the only open-source organization that is concerned about the Cyber Resilience Act and its impact on open-source communities. Opensource.org has gathered a list of several other organizations, all voicing similar concerns.