Suppose that applies to your open source because you are using a commercial split license and / or providing premium support or otherwise clearly commercialising the activity.
If you comply with all the CRA requirements (whatever they are) but the (free) USER of your software (user, not customer) gets hacked because of a security hole in one of your dependencies (that was not known) or a security hole in your own code (after all, is it possible to create something bulletproof) - are you liable for damages and what does it mean exactly in practice?
How does it differ from a situation where you offer proprietary software free of charge as a commercial activity? Can the right EULA protect you from receiving such damages. In order words, does it make the "THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND..." well-known license even worse from the liability standpoint than a proprietary license agreement?
Would it not even invalidate those licenses since the license text cannot comply with the law? This is a big blow to open source. It does not matter whether it's monetised or not, open source is open source. They are messing with the definition. And to achieve what effect? The biggest cybersecurity problem that dwarfs all others combined and one that especially governments should worry about is the fact that memory vulnerabilities are everywhere, everything from the OS, the web browser and most popular GCed language interpreters are built on C++. And someone as determined as the people behind xz could probably bypass this regulation, if it could be of any help (obstacle to the attacker) at all in the first place.
It does potentially shut down a project I have considered commercialising (like, I may release, as "hobby open source" and dump it because I otherwise have no incentive to give my free time). If for every paying customer I am to be liable for 100 - 1,000 non-paying users, no thanks. Maybe I would not do it anyway, I have something else in sight, but I was very serious to experiment with it since I have most of it built anyway and it's just this opportunity to try it out as a side gig for a couple years, taken away by some bureaucrats. I have yet to do some more research on this (check my question in the second paragraph) but it does not sound like fun.
If you comply with all the CRA requirements (whatever they are) but the (free) USER of your software (user, not customer) gets hacked because of a security hole in one of your dependencies (that was not known) or a security hole in your own code (after all, is it possible to create something bulletproof) - are you liable for damages and what does it mean exactly in practice?
How does it differ from a situation where you offer proprietary software free of charge as a commercial activity? Can the right EULA protect you from receiving such damages. In order words, does it make the "THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND..." well-known license even worse from the liability standpoint than a proprietary license agreement?
Would it not even invalidate those licenses since the license text cannot comply with the law? This is a big blow to open source. It does not matter whether it's monetised or not, open source is open source. They are messing with the definition. And to achieve what effect? The biggest cybersecurity problem that dwarfs all others combined and one that especially governments should worry about is the fact that memory vulnerabilities are everywhere, everything from the OS, the web browser and most popular GCed language interpreters are built on C++. And someone as determined as the people behind xz could probably bypass this regulation, if it could be of any help (obstacle to the attacker) at all in the first place.
It does potentially shut down a project I have considered commercialising (like, I may release, as "hobby open source" and dump it because I otherwise have no incentive to give my free time). If for every paying customer I am to be liable for 100 - 1,000 non-paying users, no thanks. Maybe I would not do it anyway, I have something else in sight, but I was very serious to experiment with it since I have most of it built anyway and it's just this opportunity to try it out as a side gig for a couple years, taken away by some bureaucrats. I have yet to do some more research on this (check my question in the second paragraph) but it does not sound like fun.