Where To? Building the Road to EU Policy Compliance

Categories: Event Report Created by Mathias Bolt Lesniak
Circle of yellow stars on a blue background. Orange TYPO3 logo replaces one star, moved slightly out of the circle.
Photo: Dušan Cvetanović / Pexels
5 February 2024, I attended a workshop in Brussels, Belgium, with representatives from many large open-source projects. With one person from each project, it was still a large circle of more than 30 people. How can this help TYPO3 and how can we contribute to the combined effort?

The workshop was organized by OpenForum Europe and aimed to find a way to continue the collaboration started around the work to improve the situation for open-source software under the European Union's Cyber Resilience act. It was also a good way to get perspectives on what challenges we are facing going forward and what TYPO3 can and should do to be prepared.

Continuing the Collaboration

Also in attendance at the workshop were CMS cousins Drupal and Joomla, represented by the leaders of their respective community organizations Owen Lansbury and Crystal Dionysopoulos.

The workshop took the form of a rapid, information-packed, three-hour rundown of past achievement, current challenges, and future possibilities. The sessions were well-managed, in the strict-but-friendly style we have come to love from OpenForum Europe. Everyone had the possibility to contribute their perspectives. For us relative newcomers, the number of acronyms was a challenge. Luckily, we got the help we needed to feel at home.

The conclusion of the workshop was that the group would like to continue the collaboration. Joomla and TYPO3 volunteered to help with documentation. We still have much work to do, both in explaining what open source is to EU bureaucrats and politicians, and in making the potential impact (both negative or positive) of legislation on open-source clear to the general public.

From my perspective, impact and compliance questions have now become a central part of running an open-source project. Are we prepared?

Be Prepared, Legislation Affects Us

It is important to inform our stakeholders and the general public about the impact of legislation on open-source projects and their users. As someone said: “if you think you’re not affected by the Cyber Resilience Act (CRA), think again.” Adding digital products to the Product Liability Directive (PLD) may have an even more severe impact.

I am no legal professional, but based on what I’m reading and hearing, I think the CRA and PLD will require the TYPO3 Association and TYPO3 Company to think carefully about how the TYPO3 CMS and derivative products are produced and sold in the future. 

Thankfully, the immediate danger we saw from the CRA in 2023 has been quelled. However, we will only make good decisions for the future if we stay well-informed and vigilant.

Addressing the Burning Issues

I have noted some points and open questions that I think might be particularly important to understand and address:

  • Getting a CE mark for the ELTS products might be necessary. How much might it cost and what would be required to expand the marking to include the non-ELTS releases?
  • Open Source Stewards are introduced through the CRA and “should be subject to a light-touch and tailor-made regulatory regime.” But who will these organizations be and could one of them be the TYPO3 Association?
  • Standards are developed during the implementation of new legislation and create a common understanding of what is necessary for compliance. Today, they are mostly developed for and by organizations steeped in the closed-source mindset. If the standards are developed singularly with closed-source in mind, it will become strenuous to apply them to open source.
  • Commercially developed extensions are not very common in the TYPO3 ecosystem today. However, if we agree that a financially sustainable ecosystem necessitates commercial extensions, CE-marking TYPO3 extensions will have to be made as easy as possible.
  • The risk to individual developers drastically increases with the inclusion of software in the PLD: the GPL license’s “no warranty” statement is superseded by the directive. Will it at all be possible to insure against the risk of future litigation when you have no way of knowing how your software will be used?

Where To From Here?

There are many open questions, and we have a couple of years until the regulations and directives enter into force. By working together, both within our community and with our open-source partners, I think we have the possibility to create a stronger market position for open-source and TYPO3.

For more information on upcoming legislation and the related challenges, read the recap of Neil Peretz’s talk about EU law at T3CON23.

Additional contributors for this article
  • Copy Editor : Felicity Brand