4 EU Acts that will change software engineering

June 29, 2023 - 4 min.

Software engineering couldn’t be easier. You create a git repo, happily code away your stuff, maybe check that it works, push to github, and wait for the stars to rain, the MRs to be opened and issues to be fixed. Ok, sometimes you think for a moment which open source license you deem best for your code, but, really, who cares?

If you’re a company you might like to protect your Intellectual Property, but when it comes to releasing some software, it’s typically no strings attached. Adding copyright and no-warranty notices, done!

This might change in the future. A number of legislations is in the works, mostly in the EU.

A lot of laws, via dall-e

Cyber Resilience Act (CRA)

The CRA requires device and software makers to go through extra lengths of making sure their product has no known vulnerabilities and can be security-fixed even when already used out in the field (in a digital product or device). It requires conducting extra checks before releasing a digital product and reporting through official channels in case a breach has been detected.

If you ever compiled a non-trivial software based on Java or Javascript, you know that dozens or even hundreds of upstream libraries are pulled in. This is called the software supply chain, often heavily composed of Open Source Software. It’s impossible to assess all those libraries. And you might have noticed that some of them already have known vulnerabilities, but it’s quite hard for the downstream user to fix them or get around using them.

Legally, the CRA might apply to all of those software projects. Sounds not so naive and innocent anymore.

Data Governance Act

The Data Governance Act wants to facilitate data sharing within the EU.

The public sector is required to make more data public than it does today. So if you’re active in that domain, the Data Governance Act might apply to you.

Beyond data sharing, the Act promotes the creation of so-called “Data Spaces”. I’ve been involved in Data Spaces before, so happy to discuss that interesting topic, but not in this article.

If you as a software vendor or service provider need to get involved in Data Spaces, be prepared to enter a completely new world of stuff going on on top of what a simple HTTP or FTP server considers “sharing of data”. I recommend you call in your resident Business Process Analyst or favorite Enterprise Architect in order to cope with all the terms and the complexity (aka “fun”). This might leave you at least with some time where you’re still actively coding.

Artificial Intelligence Act

Wanna do AI, ha? Ok, not so fast. Which risk level does your AI belong to? Where’s your training data? How do you manage bias? And where can I find your AI Risk Management System?

Well, you are used to simply upload your model to Hugging Face? In a commercial context being impacted by EU AI Act, the precious Senior Data Scientist might no longer be the highest paid staff member, when you bring in your legal team.

And even if you’re a classical software developer, think twice. Maybe you’ve started using some tiny AI component or an AI-backed API in your stack? The AI Act might come to you through the rear door.

Product Liability Directive

That’s an old one. The older legislation gets, the higher the need to adopt it to modern times. Of course, products need to be safe. And honestly, most of the products we use all day are digital products aka software-based devices and services. So to cut a long story short, digital products will be covered by a future iteration of this directive. This way, software producers become liable for damages. There goes your no-warranty claim in your terms and conditions. We don’t know for sure yet, but this might affect open source licenses, like sections 7, 8 and 9 of the Apache License 2.0, which is very often chosen. Those sections make up one third of ASL2.

Fundamental Changes Ahead

These are just excerpts of relevant legislation that is currently worked on in the EU. I skipped over “Data Act”, “Digital Services Act”. In the United States, there’re also different initiatives brewing in Congress and government.

So, as a software company, open source developer or AI entrepreneur, the time of innocence is coming to an end. Well, those among us who write software that is used in a Boeing cockpit, is running a power plant or produces your favorite pain reliever might just shrug. But for the rest of us, this is mindblowing, maybe life changing. It deeply affects our industry. Let’s hope it’s for the better.


Disclaimer: This legislation is emerging, might or might not be in effect yet, and might still see substantial changes. We’ll update this article as new information becomes available. If you’re looking for legal advice, ask a lawyer.

We take the risk out of your AI.
Do you need to make your AI products conformant with regulation? algo consult specializes in helping companies to master regulation. Let's go through the process together.