The European Commission is signalling that it plans to monitor and regulate open source code, including that found on IoT devices. The move has been attacked by major companies and industry bodies, such as IBM and the Linux Foundation. Some are characterising it as an existential threat to innovation in open source, and a move that would freeze development in a large number of IoT and embedded devices.

The move, which is being led by the European Commission’s Unit for Cybersecurity and Digital Privacy, is being impelled by the sharp rise of cyber attacks on European infrastructure following Russia’s invasion of Ukraine, and by rising concerns over European dependence on US software and cloud infrastructure.

Causes for Concern

Several recent events have galvanised these concerns. One is the coordinated attacks on the energy grids of the UK, Norway, France, Spain and Portugal in April this year. The attacks on the UK and Norway, which targeted the UK-Norway undersea energy connector at both ends of the system, were rapidly contained and stopped by both UK and Norwegian grid operators without any loss of service. However, the attacks on the same day on the energy grids of Spain, Portugal and France caused wide-spread disruption and power black-outs lasting days.

Another event is the loss of computing service by the International Criminal Court in The Hague, Netherlands, after its sanctioning by US president Donald Trump in February 2025. Following Trump’s announcement of sanctions, the ICC then discovered that it had lost access to its Microsoft accounts and cloud services. This underlined already existing fears that European governments were vulnerable to the actions of the US government, and increased calls for digital sovereignty, in which open source software would play a key role.

Outdated, vulnerable IoT code

The third major event has been the publication of a report commissioned by the EU on the state of open source code in IoT and embedded systems. The “2025 Open Source Security and Risk Analysis Report” (OSSRA), compiled from Black Duck audit data, was released earlier this year and paints a stark picture of the state of IoT device code.

The report found that a vast majority of IoT and embedded devices sold in Europe are running old, sometimes decades old, open-source components with known, severe vulnerabilities. Patches and updates are not being applied either by consumers or manufacturers, according to the report. The report concluded that Europe’s homes, hospitals, and factories are filled with millions of vulnerable devices, creating a collective security risk that regulators should no longer ignore.

So far, the European Commission has signalled that it intends to “police” open source software. However, it is unclear at this stage either what the Commission actually means by “policing”, or what legislative instruments or regulations this might involve.

What is perhaps remarkable is that the OSSRA report, which is acting as the main justification for the Commission’s actions, actually pins blame on manufacturers and users of IoT and embedded devices, not on open source code developers. The report states that in most cases, up-to-date patches for the code exist, but have not been installed by either manufacturers or users. But the Commission is targeting developers, and its chosen approach is ringing alarm bells across industry.

Existing legislative frameworks

The Commission has three main existing legislative instruments: the Cyber Resilience Act (CRA); NIS2; and the Artificial Intelligence (AI) Act. These between them, especially the CRA and the AI Act, collectively aim to police aspects of the OSS ecosystem.

However, it is currently unclear whether the Commission is aiming to build a regulatory structure for OSS from extending and expanding the scope of the CRA and the AI Act (dubbed a “twin-track” legislative strategy), or whether it will have to draft and enact either a new Act or Directive.

The aspects of the IoT and wider OSS ecosystem defined in the CRA and AIA are specific, and not all-encompassing, as the Commission appears now to be attempting to redefine them. The Commission may well run into problems in the courts if it attempts to twist two different pieces of legislation to create, by default, a third entirely new piece of covert legislation, allowing it sweeping powers without approval from either the European Parliament or the Member States through the Council.

Uncertainty over Commission plans

This uncertainty over just how the Commission intends to regulate the OSS ecosystem, what form the regulations will take, and whether the Commission will simply extend existing Acts without debate or third party input, has the tech industry particularly worried.

The Commission’s plans have been met with alarm from the OSS community, including major firms. At a conference in Brussels held by the Centre for European Policy Studies (CEPS) on October 30th, a coalition of tech firms, developers, and open-source foundations voiced grave concerns.

Attendees, including industry giants like IBM, delivered a stark warning: the Commission’s envisaged rules could fatally undermine the open-source model.

Their arguments include: the “nature of OSS”; the liability threat the EU is threatening to impose; and the “chilling effect” the EU’s plans could impose on both the OSS and the IoT industries.

The “nature of OSS” argues that a significant portion of open-source software is not made by large corporations. It’s built and maintained by loose-knit global communities, independent developers, and small non-profits, often working for free. This ecosystem of smaller and independent developers would be directly threatened by the Commission’s planned actions.

The liability threat argument suggests that if new EU rules place a legal and financial burden, similar to that imposed on commercial manufacturers by the CRA, on these independent developers, the effect will be catastrophic. No volunteer developer will risk personal bankruptcy to fix a bug in their spare time.

Finally, the Linux Foundation and others argue that the proposed new regime will have a “chilling effect” on both open source development and on industries that depend on it, such as IoT and smart tech development. The fear, as voiced at the conference, is that these rules will deter open-source developers from contributing. Small firms and independent programmers, unable to afford the legal and compliance overhead, would be driven away from the ecosystem, leaving it in the hands of only the largest corporations.

Some in the open source movement assert that the EU is trying to apply a 20th-century, top-down regulatory model to a 21st-century, decentralized, and collaborative phenomenon.

Impact on the IoT industry

Implications for the IoT industry could include: higher costs; slower time to market; and an innovation freeze.

Increased liability, mandatory monitoring, and new certification processes will not be free. These costs will be baked into every smart device, from light-bulbs to medical scanners, and ultimately passed on to European consumers and businesses.

The regulations could also entail slower time-to-market. The ability to rapidly build on existing open-source code allows start-ups to innovate and bring new IoT products to market quickly. If every line of code must now pass through a complex regulatory and legal review devised by the European Commission, development cycles are likely to slow to a crawl.

Small, agile start-ups, the lifeblood of the IoT sector, would be the hardest hit. Unable to navigate the compliance burden, many may simply fold or avoid the European market altogether. Something like this is already beginning to happen with the Medical Device Regulation (MDR), with many firms now actively withdrawing from EU markets. The OSS code regulations could stifle innovation and ironically, lead to less security, as companies shy away from adopting new, more secure codebases for fear of liability.

The response of the CEPS conference was that the European Commission must find a “smart” approach that targets the commercial entities that profit from open-source code development, without punishing the community that creates the code in the first place.