As usual this is a panicked overreaction. No, startups won't be fined out of existence by the iron fist of regulators who despise innovation.
> (93) In relation to microenterprises and small enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without affecting the level of cybersecurity protection [...] It is therefore appropriate for the Commission to establish a simplified technical documentation form targeted at the needs of microenterprises and small enterprises. [...] In doing so, the form would contribute to alleviating the administrative compliance burden by providing the enterprises concerned with legal certainty about the extent and detail of information to be provided. [...]
> (96) In order to ensure proportionality, conformity assessment bodies, when setting the fees for conformity assessment procedures, should take into account the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups. In particular, conformity assessment bodies should apply the relevant examination procedure and tests provided for in this Regulation only where appropriate and following a risk-based approach
> (97) The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environments before the placing on the market of products with digital elements. Regulatory sandboxes should contribute to improve legal certainty for all actors that fall within the scope of this Regulation and facilitate and accelerate access to the Union market for products with digital elements, in particular when provided by microenterprises and small enterprises, including start-ups.
> (118) [...] specify the simplified documentation form targeted at the needs of microenterprises and small enterprises, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention [...]
> (120) [...] When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account [...], including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up [...]. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.
First, I believe that you are correct in that small enterprises are not going to be fined out of existence (unless they continually fail to adhere to CRA requirements). The issue is that if you want to make a browser in the EU, you have to be extremely serious about it.
Second, you are quoting from the section of the act that the EU uses to lay out their reasoning, justification, and thought process. This section is not legally binding. The actual text (page ~28 and beyond in the linked document) is what controls. We have seen from DMA enforcement in regard to Apple that the EC does not consider conflicts between the two sections to be important.
> The issue is that if you want to make a browser in the EU, you have to be extremely serious about it.
The current browser vendors have made the web so complex that this is already the case regardless of what laws do or do not impose. It's simply too large a project to implement one for any non-serious project to succeed (as evidenced by the fact that we haven't got a new browser since... Chrome. Microsoft edge sort of I guess but that project was abandoned and they moved to chrome).
True, but legal complexity and technical complexity are two very different things. I can pretty much guarantee from experience that small businesses prefer technical complexity every day of the week.
> if you want to make a browser in the EU, you have to be extremely serious about it.
Why is this a problem?
No, really; why is it a bad thing that if you want to create a complete new browser, you have to actually be serious and committed to it?
A web browser is a pretty significant piece of software, and it sits between you and the entire web. You do your banking through it. You access your email through it. You book flights through it.
If the browser is badly constructed or malicious, any of these very vital functions can fail in unpredictable ways, be compromised by unknown third parties, or even be deliberately intercepted by the browser itself.
Here in the US, and especially for tech people like us, we're used to thinking of software as a complete free-for-all: anyone can make anything they want, and anyone must be allowed to make anything they want! That's what Freedom means!
But that kind of freedom can have pretty serious consequences if it's treated without respect or abused. Frankly, I'm glad to see the EU starting to put some genuine safeguards in place for the people who have to use the software we make, to ensure that we can't just foist off crap on them and when they get their identity stolen because of our negligence, just say "lol too bad, Not Guaranteed Fit For Any Purpose, deal with it".
Yes, I don't want to say that this is a problem (or not a problem).
The original article has a quote from Apple saying that they don't know why nobody has submitted any new browser for them to approve and then goes on to list a bunch of reasons for why this is the case. All of which center on Apple being obstinate. If Apple was suddenly a nice friendly corporation, would the browser landscape in the EU change much?
The CRA has been law for less than 9 months. I don't think that the general software developer community has awaken to what it is going to involve when full enforcement begins in 2027. I believe that at least some of the people that had originally planned to create new browsers in the EU have reconsidered now that they know what their obligations in 1.5 years will be. And that is probably a good thing (but not Apple's fault).
> If Apple was suddenly a nice friendly corporation, would the browser landscape in the EU change much?
Not immediately. Because there are literally no browser vendors beyond the existing three. Everyone else is just söapping on different coats pf paint on Chromium.
It’s possible to have software, including browsers, that are not subject to the CRA.
F-droid is essentially a Netherlands-based non-profit that will follow EU law when they have to. Some, but not all, of the software they currently host will be subject to the CRA, and if F-droid wishes to continue hosting it they’ll be a distributor under the CRA and be subject to obligations that they currently do not have.
The situation today is not the situation next year, and especially not 2 years from now.
> (93) In relation to microenterprises and small enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without affecting the level of cybersecurity protection [...] It is therefore appropriate for the Commission to establish a simplified technical documentation form targeted at the needs of microenterprises and small enterprises. [...] In doing so, the form would contribute to alleviating the administrative compliance burden by providing the enterprises concerned with legal certainty about the extent and detail of information to be provided. [...]
> (96) In order to ensure proportionality, conformity assessment bodies, when setting the fees for conformity assessment procedures, should take into account the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups. In particular, conformity assessment bodies should apply the relevant examination procedure and tests provided for in this Regulation only where appropriate and following a risk-based approach
> (97) The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environments before the placing on the market of products with digital elements. Regulatory sandboxes should contribute to improve legal certainty for all actors that fall within the scope of this Regulation and facilitate and accelerate access to the Union market for products with digital elements, in particular when provided by microenterprises and small enterprises, including start-ups.
> (118) [...] specify the simplified documentation form targeted at the needs of microenterprises and small enterprises, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention [...]
> (120) [...] When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account [...], including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up [...]. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.