European Cyber Resilience Act - legal advice wanted

[stephanrauh]

Update Mai 24th, 2024: At the moment, I'm positive that the Cyber Resilience Act is implemented in a way that allows me to carry on with the project. However, until I've seen the final German law, there's no way to be sure. Generally speaking, I believe the Cyber Resilience Act is a very good idea and I support it, but even so, there's a 10% chance I have to abandon this library. Alternatively, if it comes to the worst and I do not want to abandon the library, I might be forced to make money from it just to be able to fulfill the law. If it comes to that - remember, that's unlikely - please support me!

Originial post:
If the full obligations of the European Cyber Resilience Act apply to the library, I'll have to abandon the library. That's not unlikely, because ngx-extended-pdf-viewer is based on a part of the Mozilla browser, which belongs to the second of three security categories defined in the act.

So I'm reducing my engagement with this library, preparing to shut it down. Until the law comes into effect, I'll fix a few bug, but I'll stop developing new features, and quit work entirely after that.

However, if someone can convince me that ngx-extended-pdf-viewer does not belong to class I or II defined in the CRA, I'll pick up work again.

• How does the upcoming European Cyber Resilience Act affect pdf.js? @timvandermeij @calixteman
• Do projects using pdf.js have to fulfil the same obligations?

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CONSIL:ST_17000_2023_INIT

[juqing27]

I just want to say.... this is an AMAZING library, please don't give up!!!

[stephanrauh]

Thanks! The problem is not giving up. The problem is a can't pay the fees of up to 15 million EUR, and the legal text is confusing, to put it mildly.

[timvandermeij]

I'm afraid I can't help out with this because I'm not familiar with the ECRA and its legal implications. Perhaps the Mozilla legal team can help out with this?

[rafparedis]

Hello Stephan,

I've found this article explaining the relation of CRA to open source. It might help

https://berthub.eu/articles/posts/eu-cra-what-does-it-mean-for-open-source/

At first glance it looks okay if the project is not a commercial monetised one

[stephanrauh]

@timvandermeij That's a very good idea. I haven't found a contact address. Can you give me a hint how to approach them?

[timvandermeij]

I'm not entirely sure because I can't find a direct e-mail address of the legal team, but I did find https://www.mozilla.org/en-US/foundation/licensing about licensing with an e-mail address at the bottom (and I guess your question is also related to licensing of Mozilla PDF.js in combination with new EU law). If they cannot answer your question, most likely they can point you to the right person/team.

[stephanrauh]

Thank you very much! I've sent the email. Fun fact: I've been on the same page, but for some reason I've missed the email address.

@rafparedis Thanks for showing me the article. I agree - the text really indicates I can relax. However, several lawyers make big money by finding and exploiting loopholes in laws, so I prefer to be careful.

[sylvestre]

I would not worry, the latest version of the CRA is much nicer than the previous draft.
It should not change much for such projects.

[stephanrauh]

Sounds encouraging! BTW, I don't object the regulation as such. Most of it makes sense to me. Basically, I'm only worried about having to get a security assessment because that sounds expensive. On the other hand, I'm already running Mend Bolt, Snyk, Dependabot and Sonarcloud today. I wonder if that counts as security assessment?

[Tweniee]

@stephanrauh whats happening now all working good ?

[stephanrauh]

@Tweniee That's a very good question. At the moment I simply wait for the law to pass. After doing a lot of research, I know for sure that the EU does not want to kill small open-source projects. But it's still possible that they will do it accidentally, pretty much they accidentally killed my travel blog with GDPR.

The latest draft of the Cyber Resilence Act is full of contradictions, so it's impossible to tell what a malevolent lawyer is going to make of it. I hope the German law is going to be more concise and clear.

In the meantime, I'll continue working on the project, but with reduced effort because the end might be near. That's be a pity given the tremendous success of the library. It grew organically to 80.000 downloads per week, with a short peak of 250.000 downloads when it was listed by https://github.com/PatrickJS/awesome-angular?tab=readme-ov-file#viewers.