The Eclipse Foundation and Leading Open Source Organisations Deliver Open Letter to European Commission Regarding the Cyber Resilience Act

The CRA as written poses an unnecessary economic and technological risk to the EU; Open Source leaders wish to work with the European Commission on the CRA’s noble goal of secure software for all

BRUSSELS, April 17, 2023 (GLOBE NEWSWIRE) -- The Eclipse Foundation, one of the world’s largest open source software foundations, in collaboration with Associaçāo de Empresas de Software Open Source Portuguesas (ESOP), CNLL, The Document Foundation (TDF), European Open Source Software Business Associations (APELL), COSS - Finnish Centre for Open Systems and Solutions, Linux Foundation Europe, OpenForum Europe (OFE), Open Source Business Alliance (OSBA), Open Source Initiative (OSI), Open Systems and Solutions (COSS), OW2, and Software Heritage Foundation today released an open letter in response to the Cyber Resilience Act and its potential to negatively impact technological and economic development across the European Union.

In this letter co-signed by the twelve open source software leadership organisations, the group collectively offers their expertise directly to the EU and member states to make constructive changes to the legislation in support of strengthening cybersecurity without harming the open source software community, which underpins commerce and public benefit concerns alike. Interested parties can view a copy of this letter and its signees in multiple languages here:

Dear Members of the European Parliament,
Dear Representatives to the Council of the European Union,

We, the undersigned, represent leading governance institutions within the European and global open source software community. We write to express our concern that the greater open source community has been underrepresented during the development of the Cyber Resilience Act (CRA) to date and wish to ensure this is remedied throughout the co-legislative process by lending our support.

Open source software (OSS) represents more than 70% of the software present in products with digital elements in Europe. Yet, our community does not have the benefit of an established relationship with the co-legislators. The software and other technical artefacts produced by us are unprecedented in their contribution to the technology industry along with our digital sovereignty and associated economic benefits on many levels. With the CRA, more than 70% of the software in Europe is about to be regulated without an in-depth consultation.

As acknowledged in the EU’s Open Source Software Strategy 2020-2023, open source software plays a critical role in the digital economy, powering everything from cloud infrastructure to mobile applications to public transportation systems. In Europe alone, we represent about €100 billion in economic impact. It is therefore essential that any legislation that impacts the software industry takes into account the unique needs and perspectives of open source software, as well as our modern methodologies used to create software.

We deeply share the CRA’s aim to improve the cybersecurity of digital products and services in the EU and embrace the urgent need to protect citizens and economies by improving software security.

However, our voices and expertise should be heard and have an opportunity to inform public authorities' decisions. If the CRA is, in fact, implemented as written, it will have a chilling effect on open source software development as a global endeavour, with the net effect of undermining the EU’s own expressed goals for innovation, digital sovereignty, and future prosperity.

Moving forward, we urge you to engage with the open source community and take our concerns into account as you consider the implementation of the Cyber Resilience Act. Specifically, moving forward, we urge you to:

  1. Recognise the unique characteristics of open source software and ensure that the Cyber Resilience Act does not unintentionally harm the open source ecosystem.
  2. Consult with the open source community during the co-legislative process.
  3. Ensure that any development under the CRA takes into account the diversity of open and transparent open source software development practices.
  4. Establish a mechanism for ongoing dialogue and collaboration between the European institutions and the open source community, to ensure that future legislation and policy decisions are informed.

The undersigned organisations collectively represent the governance of much of the open source software which industry and society rely on. We offer our collective expertise, including envisioning how these professional organisations may support a more inclusive and effective process to inform the CRA today. The same increase in dialog and collaboration will continue to support the CRA’s successful implementation in this new regulatory paradigm. We are prepared to send a representative delegation to meet with the members now.

We appreciate your attention to this matter and look forward to working with you to ensure that the Cyber Resilience Act reflects the concerns and contributions of the entire software industry, including the open source community.

Co-signed by the Executive Directors, Board Chairs, and Presidents on behalf of their respective organisations:

Associaçāo de Empresas de Software Open Source Portuguesas (ESOP)

CNLL, the French Open Source Business Association

The Document Foundation (TDF)

Eclipse Foundation

European Open Source Software Business Associations (APELL)

COSS - Finnish Centre for Open Systems and Solutions

Linux Foundation Europe

OpenForum Europe (OFE)

Open Source Business Alliance (OSBA)

Open Source Initiative (OSI)

Open Systems and Solutions (COSS)


Software Heritage Foundation

About the Eclipse Foundation
The Eclipse Foundation provides our global community of individuals and organisations with a mature, scalable, and business-friendly environment for open source software collaboration and innovation. The Foundation is home to the Eclipse IDE, Jakarta EE, and over 400 open source projects, including runtimes, tools, and frameworks for cloud and edge applications, IoT, AI, automotive, systems engineering, distributed ledger technologies, open processor designs, and many others. The Eclipse Foundation is an international non-profit association supported by over 330 members, including industry leaders who value open source as a key enabler for their business strategies. To learn more, follow us on Twitter @EclipseFdn, LinkedIn or visit

Third-party trademarks mentioned are the property of their respective owners.

Policy Contact:
Gaël Blondelle, Vice President, European Operations and Policy 
P: +33 (0) 6 73 39 21 85 | Twitter | LinkedIn

Media contacts:
Schwartz Public Relations for the Eclipse Foundation, AISBL
Stephanie Brüls / Susanne Pawlik
Sendlinger Straße 42A
80331 Munich 
+49 (89) 211 871 – 64 / -35

Nichols Communications for the Eclipse Foundation, AISBL
Jay Nichols 
+1 408-772-1551

514 Media Ltd for the Eclipse Foundation, AISBL (France, Italy, Spain)
Benoit Simoneau 
M: +44 (0) 7891 920 370