Dear EU legislators,
We represent the Free and Open Source Content Management Systems that power over half of all European websites and that ensure a competitive European Innovation Economy.
Our web publishing platforms empower Europeans to express themselves and collaborate across national borders through worldwide communications and commerce. Open Source Content Management Systems are the world’s digital window into the EU. In a nutshell, Free and Open Source Software is the embodiment of the European Union’s values: cross-border collaboration on innovative tools to ensure a more competitive European economy and democratic society.
As representatives of leading Free and Open Source Software (FOSS) Content Management System (CMS) communities in Europe and around the world, we commend the goal of enhanced security and quality of European hardware and software through the Cyber Resilience Act (CRA).
However, in their current form, the proposed regulations run the risk of reducing software security, as well as undermining the EU’s core aims and values, as we explain below.
We also share other commenters’1 concerns about the adverse impact the proposed regulations could have on FOSS development and activity in the EU—an annual multi-billion Euro contributor to the EU’s economy, innovation, and prosperity that also advances the EU’s aims and values.
FOSS CMS web platforms are essential to implementing the EU's aims and values. Our goal is for you to create a regulatory and legislative framework that stimulates economic activity and personal freedom in the EU without harming the tens of millions of EU websites running on our software—including those run by many European governments and entrepreneurs—or the software communities behind them. Secure software should not be dependent on proprietary software owned and managed by non-European tech giants. It should rather be achieved by encouraging and embracing free and open source technology.
We would like to invite you to a dialogue about how to leverage FOSS to better achieve the goals of cyber resilience and promoting core EU values and competencies.
1. Open Source CMSs Support and Embody European Aims
The FOSS products and the communities behind them, that we represent, foster peaceful cooperation and exemplify EU core Aims and Values2, including human dignity, freedom, democracy, equality, and maintaining a competitive market economy.
Furthermore, our CMS web publishing platforms in their function, and Free and Open Source Software itself, are explicitly designed to further these goals through its philosophy, licensing, and practice (see “The Four Freedoms” below).
1.a. EU Aim: Market Competition
- FOSS keeps European tech markets and websites competitive. Websites represent the heart of digital communication and economic activity online. Without FOSS—without our Open Source Content Management Systems—the European market would be at the mercy of large, mostly American, technology oligopolies based on black-box proprietary code that stifles European innovation.
- FOSS drives innovation in Europe. Hundreds of thousands of FOSS contributors worldwide continuously update and improve the software they use to run their mission-critical digital platforms. The moment a new social, scientific, business or technological problem arises, someone is likely to develop websites and service offerings based on one or more of our CMSs. Because FOSS empowers individuals to act, solutions can be made available rapidly and independently.
- Europeans rely on open source software to empower their innovation.
1.b. EU Value: Human Dignity
- Enabling livelihoods: FOSS empowers EU citizens in the digital economy. Websites built on our platforms are used by sole proprietors and large corporations, NGOs and institutions alike, supported by independent service providers.
- Widespread participation by entrepreneurs, developers, communicators, and designers in FOSS communities contributes to citizen well-being, employment, equality, and social progress.
1.c. EU Value: Equality
- High-quality solutions for all. FOSS offers best-in-class digital communication solutions accessible to entities of all sizes, ranging from large enterprises to the smallest NGOs, schools, and institutions. This promotes sustainable development, scientific and technological progress, and supports the growth of a competitive market economy across Europe.
- Free and Open Source solutions are free to use, understand, change, and re-use.
- No vendor lock-in. Consumers and their data are free to switch or quit FOSS platforms.
- The “Four Freedoms” that define Free and Open Source Software represent an open and equal playing field for anyone who wants to use it. Our software licenses and community practices are built upon four fundamental freedoms that distinguish it in theory and practice from other economic models:
- Free to use: Anyone can employ the software for any purpose, in any location, and indefinitely.
- Free to study: Anyone can examine the underlying mechanisms and functionality of the software.
- Free to modify: Anyone can rectify and enhance the software according to their requirements.
- Free to share: Anyone can freely distribute, sell, and contribute back to the software community.
1.d. EU Values: Democracy, Freedom
- FOSS fosters democratic collaboration—an inherent principle and economic incentive that promotes peace, solidarity, and mutual respect among people—in diverse, international communities of practice.
- FOSS provides accessible digital communication tools for everyone that level the playing field and enable free and fair trade, poverty eradication, and fundamental human rights.
- FOSS expands free speech. Anyone can use FOSS to make themselves heard: businesses small and large, dissidents and activists, government bodies and community volunteer organizations who cannot afford expensive commercial systems.
1.e. Cyber Resilience: Security
Our FOSS CMSs are mission-critical and exhaustively tested.
- Our open source CMS software powers over half of all European websites, including, but not limited to, numerous mission-critical government, enterprise, and institutional websites.
- Are developed and maintained by hundreds of thousands of software developers in professional communities of practice for millions of end-users.
- Every release of our CMS web publishing platforms is rigorously tested by
- Our own security teams during development,
- Our own professional communities of agencies and developers (who rely on it for their livelihood) before release,
- And by thousands of security professionals who work for the abovementioned governments, enterprises, and institutions upon general availability.
- By the time of final release, our Open Source CMSs have a better chance of being secure than software only tested by a limited number of developers inside a proprietary software company.
- Tens of thousands of developers are empowered to identify and fix potential vulnerabilities, because all FOSS code is made publicly available — unlike proprietary software code that is kept secret.
2. The Cyber Resilience Act Endangers European Values and Economy
The current form of the CRA raises challenges and difficult questions that must be addressed. The following points highlight some of our key concerns:
2.a. Definitions of “commercial activity” unclear and problematic
The current non-commercial exemption in the proposed regulations fails to consider the intricate network of relationships that underpin FOSS and its roles in the digital economy, including vendor-consumer, publisher-distributor, contributor-consumer, individual-company-institution, and more.
- Independent companies and organizations receive funding to develop FOSS software components and distribute them freely.
- Individuals develop and distribute FOSS components for free while charging a nominal fee for support services.
- Clients engage software development agencies to develop new functionality that is integrated into a larger FOSS codebase.
- FOSS community members voluntarily enhance and contribute back to existing software at no cost in their free time. They later use the same software at their workplaces (government agencies, charities and NGOs, companies of every size, etc.), which benefit from their time and effort.
- A non-profit association affiliated with a FOSS project may act as the official vendor of a specific FOSS application, providing financial support for its development. However, the association neither sells products or services based on the application nor directly participates in its development, which is carried out by volunteers.
Risks and negative effects for the EU: Individuals, SMEs, and institutions will be hampered either by enormous administrative burdens or a chilling effect on their activities (and a potential rush towards the American Tech Giants) for fear of risking penalties under the CRA.
2.b. Flaws in the notion of "unfinished software"
The proposed ban on releasing "unfinished software" contradicts the realities of modern software development, whether FOSS or otherwise. Early versions, like alpha and beta releases, are essential for development, innovation, and indeed security. These “pre-releases” are marked accordingly and understood in the industry as unfinished (non-final, initial) versions that need testing by our large communities of expert and professional users before being released as final software.
This well-understood and time-tested practice is part of the software development world’s system of checks and balances against releasing insecure software. The “many eyes” principle of interested parties performing tens or hundreds of thousands of rounds of testing means that Open Source CMSs generally have a better chance of being secure in their final release versions than software only tested by a limited number of developers inside a proprietary software company.
Risks and negative effects for the EU: Such restrictions as those suggested in the CRA will potentially
- Force the release of less-secure software,
- Diminish the international competitiveness of EU businesses,
- And are contradictory to the EU values of freedom, including freedom of expression, movement, and ideas.
2.c. The CRA draft ignores the collaborative and modular nature of the global digital economy, the development of the software that powers it, and the EU’s inextricable ties to both.
Most software applications in the EU economy build upon existing FOSS applications, operating systems, and code libraries. FOSS is developed, published, distributed, and continuously updated through independent international cooperation. The technical structure of the Internet does not practically accommodate an EU/non-EU development and distribution model for FOSS software.
Hampering international collaboration in favor of an EU-only model of software development (even if that were possible), cuts off EU institutions, all levels of EU government, and every part of the economy connected to digital technologies today. We would argue this includes the entire EU economy, both those directly running websites and services and those who benefit from being included in the many search engines, online maps, and recommendations online.
Risks and negative effects for the EU: Again, the fear of unintentionally running afoul of complex rule sets that ignore or contradict the interconnected nature of modern digital reality in business and software development will have a chilling effect on European innovation and economic participation.
2.d. Disadvantages for EU SMEs
The European FOSS landscape primarily consists of small to medium-sized enterprises (SMEs). Enforcing stringent compliance requirements on SMEs, similar to those imposed on large enterprises, would create a disproportionate burden. Compliance-related administrative tasks would divert resources from innovation and hinder the ability of SMEs to compete, potentially driving business away from Europe.
Risks and negative effects for the EU: As mentioned by many other commenters (see footnote 1 above), large and enterprise-class businesses may be the only ones able to profitably sustain the administrative burden of CRA compliance, quelling EU innovation, entrepreneurship, and economic livelihoods.
2.e. Legal responsibility for FOSS products not accounted for
Our Open Source CMSs and other FOSS projects have been under development for more than two decades and involve contributions from thousands of individuals. Establishing legal responsibility for compliance with regulations becomes incredibly challenging in this context. At the same time, these FOSS codebases are vital to the EU economy, and banning their use would have severe economic and technical consequences.
Risks and negative effects for the EU: We repeat, FOSS codebases are vital to the EU economy, and banning their use would have severe economic and technical consequences.
To ensure the continued success of FOSS and its alignment with EU aims and values, we propose the following measures:
3.a. Clarify CRA Exemption for FOSS
The nature of the intricate and diverse economic models within the FOSS ecosystem (see above) leads us to the conclusion that software released under FOSS-compatible licenses—and commercial, proprietary, or Open Source products built on them—require a clarification of the exemption in recital 10 of the proposed regulations.
3.b. Support for users' rights and freedoms
Users should be fully supported in exercising their rights granted by FOSS-compatible licenses, including the freedom to use, study, modify, and republish the software. Technical support should not be considered a “commercial activity” under the proposed regulations.
3.c. Invitation to Engage: FOSS CMSs in the EU Economy Seminar
In light of these concerns and recommendations, we will be inviting EU Commission members and other interested parties to participate in a seminar in Brussels. The purpose of this seminar is to delve into the inner workings of FOSS, explore its alignment with EU aims and values, and discuss how FOSS and CMS web platforms can maintain their status as exemplars of European innovation and prosperity.
Signed, the Inter-CMS Working Group,
Crystal Dionysopoulos, President, Open Source Matters, Inc. (Joomla)
Josepha Haden Chomphosy, Executive Director, WordPress Project
Olivier Dobberkau, President, TYPO3 Association
Tim Doyle, CEO, Drupal Association
- We expressly support and wish to underscore the feedback to the CRA submitted by eco - Verband der Internetwirtschaft e.V., NLnet Labs, DIGITALEUROPE, GitHub, German Chamber of Commerce and Industry, Open Source Initiative, OpenForum Europe, The Open Source Security Foundation, The Document Foundation, Developers Alliance, Vrijschrift.org, and Open-Xchange AG.