To the MEPs shaping the EU Cyber Resilience Act,
Moodle is an open source Learning Management System (LMS) that is dedicated to empowering educators, trainers and learners all around the world. Our goal is to create solutions that make learning accessible to everyone, regardless of their location or financial situation.
Our open source system is used by more than 70% of Europe’s Higher Education institutions to facilitate the delivery of quality education as a public endeavour. Our solution is also used by numerous European Education Ministries, some of which are listed below, as well as Unesco, the United Nations and the European Union itself (https://academy.europa.eu).
- Gencat Departament d’Educació
- Xunta De Galicia
- Federal Ministry Republic of Austria – Education, Science & Research
- Ministerium für Kultus, Jugend und Sport Baden-Württemberg
- Junta de Andalucía
- Landesbildungsserver Baden Württemberg
- Bayerisches Staatsministerium für Unterricht und Kultus
- Ministerio De Educación Y Formación Profesional
- Junta de Castila y León educacyl
- Department of Education, Culture and Sports of the Government of Aragon
- Aulas Virtuales EducaMadrid
- Esusko Jaurlaritza Govierno Vasco Department of Education
- Collecto Services Regroupés En Éducation
- Consejería de Ciencia, Innovación y Universidad, Asturias
- The Catalan Electronic Education Network (XTEC)
- Aula Virtual Ceuta
- Aula Virtual Melilla
Whilst we support the intent of the Cyber Resilience Act (CRA) to bolster security and quality in European software and hardware, we write today to express concerns with the current proposal. We believe that it may inadvertently undermine the goals and principles of open source software development and its use in the provision of quality educational outcomes for all.
Open source platforms are pivotal in realising the EU’s mission of driving an open economy, fostering innovation, advancing prosperity and align with the principles of the Global Partnership for Education, and the Leadership Group of the global education coordination mechanism led by UNESCO. In particular, open source education platforms are a crucial component in redressing inequalities and the digital divide in accessing remote learning.
We invite you to reconsider some of the clauses currently included in the act which prompt questions and concerns.
Recommendations from Moodle
1. Address commercial activity definitions
Open-source software is developed via various, complex and intricate economic models. The non-commercial exemption currently included in the act is too narrow and needs to be revisited to consider these unique dynamics, specifically the clauses that limit donations and contributions by corporate developers. This is essential in making the application of the act possible whilst supporting a sustainable open-source ecosystem.
2. Reconsider vulnerability disclosure requirements
The act currently mandates that any software developer must report all actively exploited vulnerabilities to ENISA within 24 hours of their discovery. This approach, particularly concerning vulnerabilities that haven’t been patched, contradicts established practices that restrict disclosures to those capable of contributing to resolving security issues. The widespread disclosure of unpatched vulnerabilities not only fails to enhance the resilience of the open-source ecosystem but also increases its susceptibility to risks.
3. Remove the impost on “Unfinished Software”
The proposed limitations on “unfinished software”, which limit the amount of time it can be made available and impose compliance requirements, will limit the quality of software development. Early, rapid and iterative releases are vital for innovation. Critically, such restrictions may compromise software security rather than improve it. The more people can test a solution, the more it becomes possible to identify bugs and issues with it. It is this same principle that informs the belief that an open-source approach to software development ensures a higher level of security compared to proprietary software. The act needs to reconsider its current limitations to support experimentation and open-testing approaches better.
4. Address legal responsibility attribution requirements
Our open-source LMS has been under development for more than two decades and was created thanks to the contributions of thousands of individuals, including employees of EU-based educational institutions, government departments and corporations. Importantly our continued sustainability is reliant on these contributions to continue – this is also true for most open source software solutions. Mapping the legal responsibility for compliance with regulations to individuals or corporations is nearly impossible in this context. The act currently imposes hard lines on the attribution of legal responsibility which need to be tempered to recognise the unique context of open source software.
5. Recognising the impossibility of EU centricity in software development
A substantial portion of software applications are constructed using existing open-source applications, operating systems, and code libraries. This is true for any software application, and even more relevant in an open-source context. The intricate architecture of most software platforms does not feasibly accommodate the possibility of development and distribution that allows separation between solutions produced for use in the EU vs. non-EU geographies. The act does not currently recognise this limitation, making its application potentially impractical or highly detrimental to the EU digital landscape.
It is worth stating again that our recommendations are made in full consideration of your intent to prioritise cyber resilience – an effort we support unequivocally. A defining characteristic of Moodle’s open-source values and practices is our pledge to build a secure learning management system that protects the privacy and security of learners’ and employees’ data. Our Moodle platform suffers from extremely low numbers of security incidents, thanks to its open-source nature and mature security vulnerability reporting and management practices, and we are committed to sustaining this in the future.
We appreciate your attention to this matter and your consideration of our recommendations.
The Moodle Team
Learn how you can help Moodle, and the open-source ecosystem as a whole, with action.