The European Commission wants to make software “safer” for users via rules that would also apply to open source software.
This could make it harder for small developers to keep creating and sharing freely, open source contributors said during a CEPS conference on the topic in Brussels yesterday.
“The state actors are driving their own agendas,” said Mirko Boehm, researcher at the Technical University of Berlin and contributor to the US-based Linux Foundation, non-profit supporting open source software projects.
He warned that applying rules to the open source community “could undermine the very goals behind them”.
The European Commission is turning its attention to open source software, the shared, publicly available code that forms the foundation of most digital products.
The 2025 Open Source Security and Risk Analysis Report found that 97 per cent of software it examined contained open source code, while 81 per cent had serious security vulnerabilities.
The study found that most of the code was also outdated with 90 per cent of projects using components more than four years old and many relied on software that is no longer maintained.
In practice, that means parts of the internet still runs on code written years ago by unpaid volunteers who have since moved on.
Kreshnik Rexha, chief technical officer at for data and application security at IBM (EMEA), said at the same conference that when one open-source volunteer coder removes a small piece of shared code, thousands of websites and services broke overnight.
But the fact that these developers work for free, makes it hard to justify compromising their creativity with unadapted rules.
He said that smaller companies may struggle most with new requirements. “Not everyone is IBM or Red Hat,” he said. “Some small manufacturer in Italy has one IT guy — how do we support them?”
The European Union’s cybersecurity agency says 62 per cent of cyberattacks exploit the trust between customers and their suppliers.
The EU’s new rules come mainly through two laws: The NIS2 Directive and the Cyber Resilience Act.
NIS2 sets requirements for governments, hospitals and critical industries to protect their networks from cyberattacks.
The Cyber Resilience Act goes further — it will require any product with digital parts, from “smart” fridges to car software, to meet basic cybersecurity standards before it can be sold in Europe.
The rules also apply when open-source code is built into commercial software products that are placed on the EU market.
“It’s more important than ever, given the current geopolitical realities,” said Raluca Stefanuc, Deputy Head of Unit for Cybersecurity and Digital Privacy at the European Commission.
The call follows a surge in cyberattacks since the war in Ukraine began in 2022. That is combined with growing global tensions around technology supply chains, and Europe’s push to reduce its dependence on foreign digital products.
Open source contributors warned that Europe’s growing reliance on formal standards could push policymaking away from developers and towards large institutions.
Boehm said when regulation is implemented through European standards bodies, it risks “delegating policymaking” to organisations that do not represent the people who actually write the code.
The Cyber Resilience Act entered into force on 10 December 2024. The main obligations introduced by the Act will apply from 11 December 2027.
NIS2 Directive applies since October 2024, and although it does not explicitly regulate open-source projects or maintainers, it does place responsibility on organisations that use open-source components.
