40 new ways the CRA can accidentally harm open source

A presentation at FOSDEM 2024 in in Brussels, Belgium by Tobie Langel

Following the agreement reached in early December 2023, and pending formal approval by both the European Parliament and the Council, the CRA will be adopted shortly.

What’s going to happen next?

The EU Commission will issue a standardization request to European standardization organizations to develop multiple technical standards (about 40!) defining how to apply the requirements of the CRA. As usual, the devil is in the details, and these standards will substantially shape the future of software in Europe, and as a result, of open source.

The problem?

The EU standardization organizations which will be tasked with developing those standards (CEN-CENELEC and ETSI) are very formal structures that are as arcane and antithetical to open source communities as the EU legislative process itself was only a few months ago.

There’s a very serious risk that this upcoming standardization process might happen again with little or no consultation of the impacted open source communities and lead to additional harm as a result, further damaging Europe’s standing in the open source community and its ability to host, foster, contribute to, and leverage open source projects essential to its sovereignty.

The goal of this session is to preempt this scenario by proactively engaging with policy makers and carving out a path forward that leads to better outcomes for both Europe and open source.