EU’s proposed CE mark for software could have dire impact on open source(devclass.com)
devclass.com
EU’s proposed CE mark for software could have dire impact on open source
https://devclass.com/2023/01/24/eus-proposed-ce-mark-for-software-could-have-dire-impact-on-open-source/
7 comments
> In the context of software, a commercial activity might be characterized be characterized not only by …
"Might" and "not only" are key here. Commercial and non-commercial are not easily separable in neat little boxes, and there's quite a lot of grey area. There's some amount of money involved in a lot of Open Source software, even when it's not really a "business" like, say a bakery or Twitter is. Is accepting money in GitHub sponsors to work on $project_x "commercial activity"? It's not clear to me from that description it's not.
As it stands, it's quite vague, partly because it's just so hard to nail down.
"Might" and "not only" are key here. Commercial and non-commercial are not easily separable in neat little boxes, and there's quite a lot of grey area. There's some amount of money involved in a lot of Open Source software, even when it's not really a "business" like, say a bakery or Twitter is. Is accepting money in GitHub sponsors to work on $project_x "commercial activity"? It's not clear to me from that description it's not.
As it stands, it's quite vague, partly because it's just so hard to nail down.
> charging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data
See, this is why all these "foundations" and package managers are against it. They count as commercial entities.
The EU is a really big place, it won't be ignored. The real danger, from the point of view of these "foundations", is that someone will fill the void with a compliant solution - and they won't limit their services to the EU.
See, this is why all these "foundations" and package managers are against it. They count as commercial entities.
The EU is a really big place, it won't be ignored. The real danger, from the point of view of these "foundations", is that someone will fill the void with a compliant solution - and they won't limit their services to the EU.
It sounds like individual FOSS freelancers would not be included in the exception, due to the commercial aspect of their activity and some might not be able to afford to continue contributing to FOSS in that way. So it would probably drive people towards joining companies or large consultancies.
More bureaucratic nonsense that just helps out international mega-corporations at the cost of small co-operatives and trade unions, etc.
Focus on stuff that actually improves conditions like enforcing that redundant positions be shown to be redundant in all parent and child subsidiaries rather than just domestically, etc.
And streamline the process for making claims when payment details are stolen - like has been successful with airline compensation.
Focus on stuff that actually improves conditions like enforcing that redundant positions be shown to be redundant in all parent and child subsidiaries rather than just domestically, etc.
And streamline the process for making claims when payment details are stolen - like has been successful with airline compensation.
I dearly hope the regulations actually live up to their estimated benefits, and that the cost of compliance also includes the indirect negative impact on future product research and development, not just direct impacts on existing businesses.
> The draft legislation includes an impact assessment that [...] total cost of compliance [...] estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually.
> The draft legislation includes an impact assessment that [...] total cost of compliance [...] estimated at EUR 29 billion ($31.54 billion), and consequent higher prices for consumers. However, the legislators foresee a cost reduction from security incidents estimated at EUR 180 to 290 billion annually.
This sounds like the process required for most ISO certifications which sums up to: "pay up, do nothing useful" in my experience.
The extra cost of certification is only very _rarely_ useful. I have to laugh at the "bolster cybersecurity rules to ensure more secure hardware and software products".
It shifts the cost to the company that needs/wants CE.
On one hand, it might actually incentivize companies to pay up for OSS maintenance services, since certification requires a _process_, and not just an end product you can copy without any commitment at all. I don't see this working for small devs though (the paperwork will likely exceed the actual extra revenue in all but the largest projects - so why bother?).
This also puts CE at disadvantage where another market can just do that: steal/clone OSS and skip all the certifications. I'm a lot more worried about this point than the rest.
The extra cost of certification is only very _rarely_ useful. I have to laugh at the "bolster cybersecurity rules to ensure more secure hardware and software products".
It shifts the cost to the company that needs/wants CE.
On one hand, it might actually incentivize companies to pay up for OSS maintenance services, since certification requires a _process_, and not just an end product you can copy without any commitment at all. I don't see this working for small devs though (the paperwork will likely exceed the actual extra revenue in all but the largest projects - so why bother?).
This also puts CE at disadvantage where another market can just do that: steal/clone OSS and skip all the certifications. I'm a lot more worried about this point than the rest.
> In order not to hamper innovation or research, free and open-source software developed or supplied outside the course of a commercial activity should not be covered by this Regulation. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. In the context of software, a commercial activity might be characterized not only by charging a price for a product, but also by harging a price for technical support services, by providing a software platform through which the manufacturer monetises other services, or by the use of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software