A group of over a dozen industry bodies that support open-source software has jointly released an open letter calling on the European Commission to reconsider some aspects of the proposed Cyber Resilience Act.

The organisations, which include the Eclipse Foundation, Linux Foundation Europe, and the Open Source Initiative (OSI), warn that if implemented in its current form, the CRA could have 'a chilling effect on open source software development as a global endeavour.' They also argue that the legislation in its current form presents an unnecessary economic and technological risk to the EU. The organisations underlined that a dialogue and collaboration between the European institutions and the open source community is necessary for informed decsions to be made.

Although the proposed Cyber Resilience Act appears to exclude non-commercial open source software, determining the precise meaning ofnon-commercialis not a straightforward task. As a result, open source bodies in their letter call to clarify that open source developers will not be held liable for security breaches in a downstream product that incorporates a specific component.