Hello Community Members,
Over the last few months, we at Moodle HQ have been monitoring the development of new legislation in the European Union that has the potential to negatively impact open source software, its users, the people who contribute to its development and our community of educators and learners globally.
The EU Cyber Resilience Act (CRA) aims to safeguard European consumers and businesses buying or using products or software with a digital component. The act seeks to establish a uniform set of cybersecurity requirements for all digital products in the European Union, requiring auditing and compliance with standards yet to be established.
The overarching goal of the act is one that Moodle supports unequivocally. A defining characteristic of Moodle’s open source values and practices is our pledge to build a secure learning management system that protects the privacy and security of learners’ and employees’ data.
However, Moodle HQ, as well as a number of other open source software developers; and foundations, such as the Eclipse Foundation and the Apareo Foundation, are concerned that the CRA, as currently written, will dramatically impact users of open source solutions and damage the open source ecosystem.
The CRA aims to establish legislation that will require product manufacturers to apply for accreditation (referred to as the CE mark) of their products to indicate conformance to the act’s requirements. This process will impose expensive administrative overheads, limit best practice development practices, and may negatively impact cyber resilience in an open source context.
Further reading on the accreditation requirements and their implications can be found in numerous informative articles, such as:
This comprehensive blog post by the Internet Society
A detailed assessment by the Apache Foundation
A number of articles published by Github, including this articulation of the key issues at play
An open letter from prominent open source content management providers; Drupal, Joomla, Typo 3 and WordPress.
For Moodle, the implications could be grave. Although the CRA currently includes an exemption for open source software developed or supplied outside the course of a commercial activity, this exemption has caveats that disqualify Moodle from it, being:
The CRA regulates open source projects receiving donations – Moodle receives donations necessary for the sustainability of our project.
The CRA regulates open source projects that do not have “a fully decentralised development model” – Moodle is developed by both community contributors and Moodle HQ employees, meaning that, as a project that has “corporate” employees with commit rights, we would not be exempt.
And for institutions, universities or companies that are adopters and adapters of open source software, contribute to open source projects and the community, or simply consume these solutions, the implications could be just as grave. The act has the potential to:
Make the software you rely on no longer available in the EU – with distribution limited to other geographies or solutions disappearing due to lack of sustainability.
Limit the potential of open research – with the use of open source software limited by compliance costs.
Increase the complexity of multi-organisation work – with collaboration on open source software projects difficult due to legal accountability requirements, limiting university and commercial partnerships.
Increase software licensing costs – with fees charged for any software product increased to cover required re-factoring and compliance obligations.
Last month the CRA was voted on and passed through to the next stage of implementation. However, dialogue with the European Commission is ongoing and further refinements to the act are being debated. This means that change is still possible, and you can help Moodle, and the open source ecosystem as a whole, with action.
We invite you to:
Join the OpenForum Europe – multi-stakeholder discussions are happening here.
Publicly state your position that the development of open source is critical to Europe’s prosperity and digital sovereignty.
Engage directly with the policymakers of your country (MEPs, governments) and corporate public affairs departments. Members of relevant committees can be found via this page.
Educate your colleagues in government relations on the importance of open source to your business or institution.
We at Moodle HQ will continue to engage with relevant parties through our associations and involvement in the FOSS Legal Network. We will be relentless in our efforts to protect open source and its contribution to providing safe and inclusive educational environments that empower individuals and foster access to quality education for all.
Thank you in advance for your support,
The Moodle HQ Team