On Wed, May 31, 2023 at 4:43 PM Dimi Dimitrov <dimi@wikimedia.be> wrote:

> === Liability on Free Software ===
> The Cyber Resilience Act (CRA) sets out cybersecurity requirements for a range of software products placed on the EU market. The instrument of choice is to impose liability on developers and deployers of software. Our main worry is how the new obligations would hinder developers, especially volunteers, of free software. We are coordinating our position [10] and actions with the FSFE and EDRi.
> —
> The Industry, Research and Energy (ITRE) committee in the European Parliament has the lead and MEPs have tabled their amendments, which will now be discussed in the coming weeks (see Documentation Gateway in [11]). The good news is that most political groups are thinking about the specific needs of free software. The challenge is that the lawmakers, including the ones in Council, seem to be lacking a coherent vision of what a liability system should look like. We appear to be stuck considering patches and carve-outs. We are now going through an initial assessment of amendments [12] and will coordinate with our allies before contacting lawmakers.

You might want to borrow language from Directive EU 2019/770, Article 3 (5) f here:

5.   This Directive shall not apply to contracts regarding:

(f) software offered by the trader under a free and open-source licence, where the consumer does not pay a price and the personal data provided by the consumer are exclusively processed by the trader for the purpose of improving the security, compatibility or interoperability of that specific software;

Since this is already law in place and transposed, it would be a good starting point for consistency.