34

Suppose Alice develops some software and releases it under an open source licence. She receives just enough money to be counted as "commercial". This may be donations from users, it may be tokens for contributing to a cryptocurrency project, and it may be the software was developed for commission. She then retires, sells her computer, stops checking her email and tends to her garden. The software could be anything, example where critical tools are maintained by people who may want or have to stop working sometime include "The Internet is Being Protected by Two Guys Named Steve" who were largely responsible for OpenSSL (used by almost all servers and involved in the Heartbleed bug) and when the sole maintainer of the library core-js (used by 75% of the top 100 websites) went to prison for 18 months for lack of the money to settle. These would seem to fit the EU description of critical products.

Sometime later, but within five years and the expected product lifetime, a bug is identified that could count as a vulnerability that requires a security update. Alice knows nothing about it and does not provide an update or otherwise handle the issue effectively.

Assuming the EU passes the Cyber Resilience Act (CRA) as currently drafted, would Alice's behaviour breach the law?

As far as jurisdiction is concerned, assume that at least one user is in the EU, Alice may or may not be.

This is mostly based on the Cyber Resilience Act - Factsheet which says among other things:

Manufacturer’s obligations

  • Once sold, manufacturers must ensure that for the expected product lifetime or for a period of five years (whichever is the shorter), vulnerabilities are handled effectively;
  • Security updates to be made available for at least five years.
Peter Mortensen
  • 195
  • 5
User65535
  • 10,342
  • 5
  • 40
  • 88

3 Answers3

32

An obvious workaround for individuals would be to operate through a front company and then simply dissolve that front upon retirement.

Provided it is the front which offers the product to market and not the individual developer, the obligations will lapse with the front.

I suspect people who make a few bob as gigging developers are not the main target of this law however. Corporation with serious resources are.

It's worth noting that these rules are not unusual for anyone trading directly with the market.

If you lay brick for money, then you are potentially on the hook for a number of years afterwards for the quality of your workmanship and so on. You can't simply retire suddenly from your legal obligations.

These proposals simply begin to bring commercial software development (as distinct from hobby or employed development) into same world that other trades and professions operate in.

Steve
  • 3,383
  • 9
  • 17
23

The essence of this question is whether Alice, a natural person, is exempt from the EU rules for "economic operators". The EU definition of "economic operator" in the CRA specifically includes natural persons. Therefore, Alice falls under the obligations of the CRA.

MSalters
  • 6,749
  • 16
  • 23
5

I think you are thinking about this in the wrong way:

The act does not make it illegal to retire after having sold software.

It makes it illegal to sell software just before you plan to retire, unless you arrange for someone else to maintain it.

If you want to sell software then you are expected to plan in advance for how that software is going to be maintained. If you plan to not retire for 5 years then you will have to either stick to that plan, or else make sure that someone else maintains the software. Having been paid (including asking for donations) then you are responsible for paying for the software to be maintained.

Tom V
  • 467
  • 2
  • 9