A bit of an “emergency blog post”. The final compromise text of the EU Cyber Resilience Act is now available, and various open source voices are now opining on it. This is a complex act and other parts of the open source world (like the Eclipse Foundation and NLNet Labs) have been hard at work to advocate with the EU and member states to get a CRA that is good for open source. I’ve also been highly critical.
The tl;dr: The EU Cyber Resilience Act mostly excludes open-source authors and programmers from its effects. Most of this is set out in the preamble of the act, and not in the act itself. Yet this in no way means these provisions are somehow not “for real”, unlike what some people claim.
Programmers and technical people are very good at rapidly parsing acts, which are actually giant state machines full of definitions and transition rules. We love that stuff. Law is in fact to a huge extent code, and programmer brains are well suited to dealing with giant acts.
However, this swiftness that we have with grasping the mechanics often blinds us to the broader context and (sadly) underdocumented rules and lore that also govern how laws work. Also, the mindset of anyone in information or computer security is to find loopholes, and to completely focus on what would happen in the worst case.
This has led some to draw incorrect conclusions, often even based on outdated versions of the EU CRA.
So here some partial clarification.
I hate that I have to do this, and I hate that I have to do this in a hurry. I’m not the best person to write this up, even though I’ve been some sort of technical judge for the Dutch government. Also, I’d love to take more time to explain this as well as possible. But wrong ideas are circulating right now, so time is of the essence.
If you are well versed in EU law and find any mistakes in this post, please let me know urgently on email@example.com! Update: meanwhile several experts have confirmed that the explanation of recitals in this post is correct.
Interpretation of law
Laws are indeed a lot like code, but it is code that takes ages and ages to be deployed. Laws are hard to tweak or change, so they try to be generic enough so you can work with a law for half a decade or more. However, being generic means that definitions can’t always be 100% precise. The definition might otherwise get out of date quickly.
More generic definitions leave more room for interpretation, which means that 5 years from now a definition might cover different things. Either because technology has changed or because society has changed. There are existing laws on defamation for example that in today’s rough and tumble social media climate mean something entirely different than 30 years ago, for example, even though the text could still be the same.
As soon as there is room for interpretation, think of the poor judges that have to do the interpretation (I was once one of them). What is “grave” damage to someone’s reputation? What actually IS open source when it is not defined precisely in the law?
Different systems of law have found different ways of dealing with this problem. Some of these ways are sillier than others. Some try to imagine for example what the drafters of the US constitution were thinking in the 1790s.
In some legal systems, laws are now accompanied by lengthy statements or even whole documents explaining the ideas behind a law, and even the history of its creation. Such wording often has no formal legally binding status. Yet, judges will take note of these (and other) documents to figure out what the spare wording of a law might mean.
By reading preambles, recitals, exposés des motifs, memories van toelichtingen and other non-binding documents, judges can form an idea of the purpose of a law. In the Netherlands this might even extend down to verbal statements made by ministers during legislative debates.
All these materials are a great aid in figuring out how an article or a none too specific definition should be interpreted.
It should be noted that every law or act requires interpretation. These things are not mathematical formulas (and even those aren’t perfect). The context for such interpretation can come from associated documents, but also from industry standards and practices or other relevant literature.
Countries (and Unions) could write worryingly vague laws and acts, and hope that the surrounding documents provide enough clarity for everyone to figure out what it all means. The standards for legislative text however are very high, and a lot of scrutiny is applied to them.
Yet, preambles, recitals etc are often far more political and informal in nature, full of good intentions, wishes, hopes and even dreams. Also, a law is easy to locate and read. But it takes a lot of work to find all the documents that provide context. You might not even know about all of them. This creates legal uncertainty.
In general, it could be said that these non-binding surrounding documents definitely are helpful, but they should not be a crutch for bad legislation that then takes a lot of work to interpret.
EU acts start out with a preamble full of ‘Recitals’. Some of these are legally mandatory to even explain why the act is necessary. These are load-bearing recitals, and whole acts can be declared invalid if the explanation of the origin of the law is too weak.
Now, the relation between the recitals and the actual act is complicated.
The EU CRA applies to transactions “in the course of commercial activity”. Meanwhile, almost everything the CRA has to say on (what it calls) “open-source software” is to be found in the recitals in the preamble.
In JUDGMENT OF 19. 11. 1998 — CASE C-162/9 it is stated:
“On this point, it must be stated that the preamble to a Community act has no binding legal force and cannot be relied on as a ground for derogating from the actual provisions of the act in question.”
And this is where some people in the open source world have jumped to some erroneous conclusions. If you read only this sentence, you might come to the conclusion that the preamble is there just for show. Perhaps you might compare the recitals to comments you find in computer code: nice, but ignored by the compiler.
A more precise reading however of the sentence however finds that it only says that the preamble can’t do one specific thing. If an act concretely says something, the preamble can’t take that away (‘derogate from it’).
In 2009, Tadas Klimas and Jūratė Vaičiukaitė published The Law of Recitals in European Community Legislation which contains a very readable and in places funny analysis of the situation.
In this they state:
“Recitals in EC law are not considered to have independent legal value, but they can expand an ambiguous provision’s scope. They cannot, however, restrict an unambiguous provision’s scope, but they can be used to determine the nature of a provision, and this can have a restrictive effect”.
And in summary:
The law of recitals in EC Legislation can be summarized thusly:
A) Where both the recitals and the operative provisions are clear but inconsistent, the operative provision will control. Corollary: recitals have no positive operation of their own.
B) Where the recital is clear, it will control an ambiguous operative provision. This means that the operative provision will be interpreted in light of the recital. There have been cases wherein the nature of the operative provision is affected by a recital, and others where the scope of the operative provision is affected.
C) A function of A and B is the relation of the recital to the European doctrine of “legitimate expectations.” Recitals cannot cause legitimate expectations to arise; they have no operative effect of their own. But they can prevent legitimate expectations from arising. This is in keeping with the idea that a recital may limit the scope of an ambiguous operative provision.
If you want to use an analogy to code, recitals are more like a #pragma than like a comment.
Update: A government official involved with finalising the CRA commented that recitals are not only read carefully by judges, but that they also instruct the CRA Market Surveillance Authorities how to act and how they should write guidelines. In addition, the recitals determine the transposition and adaptation of legislation.
How this applies to the EU CRA
The Cyber Resilience Act truly hinges on if something you do is a commercial activity. And in the recitals we find a lot of comforting words that tell us that most open source things are in fact not a commercial activity.
Some examples from the recitals:
- “Accepting donations without the intention of making a profit should not be considered to be a commercial activity”
- “For instance, the mere fact that an open-source software product with digital elements receives financial support by manufacturers or that manufacturers contribute to the development of such a product should not in itself determine that the activity is of commercial nature.”
- “In addition, the mere presence of regular releases in itself does not lead to the conclusion that a product is supplied in the course of a commercial activity”
- “This Regulation does not apply to natural or legal persons who contribute source code to free and open-source products that are not under their responsibility”
- “More specifically, for the purpose of this Regulation and in relation to the economic operators referred therein, to ensure that there is a clear distinction between the development and the supply phases, the provision of free and open-source software products with digital elements that are not monetised by their manufacturers is not considered a commercial activity”
Given how EU legislative interpretation works, these sentences clearly limit the scope of the rest of the act, which is all about these commercial activities. These recitals are not just comments.
So if anyone states that recitals are non-binding, do know that this is simply not the case where it comes to determining the scope of an act, or in telling judges what the purpose of articles is.
UPDATE: There is now also a dedicated blog post on what the EU CRA will mean for open source.
Some further reading
EU recitals are a living thing, and there is a lot of justified criticism of their use and the surrounding politics.
In On the Use and Misuse of Recitals in European Union Law, Den Heijer et al. expand on this issue.
The EU Joint practical guide on the drafting of European Union legislation has some choice words on political exhortations and normative provisions in recitals.
A 2019 case of the ECJ states “the recitals of an EU act constitute important elements for the purposes of interpretation, which may clarify the intentions of the author of that act”, but also repeats: “However, the preamble to an EU act has no binding legal force and cannot be relied on as a ground either for derogating from the actual provisions of the act in question or for interpreting those provisions in a manner that is clearly contrary to their wording (see, to that effect, judgment of 24 November 2005, Deutsches Milch-Kontor, C‑136/04, EU:C:2005:716, paragraph 32 and the case-law cited).”
But do note that no law is free from interpretation. Recitals, understandings, preambles etc are all very useful things to have.
I did a further writeup of that the compromise text of the CRA actually means for open source. Specifically some open source software foundations will likely have to do actual work. And, the CRA may strongly incentivise users of open source software to support that open source software, due to the operation of the due diligence clause.