The European Cyber Resilience Act
The European Cyber Resilience Act
Posted Sep 21, 2023 0:47 UTC (Thu) by ch33zer (subscriber, #128505)Parent article: The European Cyber Resilience Act
Posted Sep 21, 2023 2:41 UTC (Thu)
by wtarreau (subscriber, #51152)
[Link] (6 responses)
Also I don't see how they could draw a "perfect line" between commercial and non-commercial because this line does not exist. Sometimes some users of your code send you some money: this can change the perception of the relation, especially if you reach a point where you can make a living of it. And the vast majority of OSS that lives more than 3 years is backed by some companies who are able to pay some developers. This really risks to simply end a large number of projects because it will be considered that it's not worth the hassle of continuing to sell them, hence let's just stop developing them.
Posted Sep 21, 2023 9:39 UTC (Thu)
by farnz (subscriber, #17727)
[Link] (5 responses)
A user giving you some money does not, in and of itself, make it a commercial setting. For it to be commercial, there needs to be an offer of product or services from you conditional on the receipt of money, followed by the money coming through. So, if you say "I'll fix this bug if people give me €10,000", and I send you €10,000, you're doing something commercial. If I see a "donate here" button on haproxy's website, and donate €10,000 because I love the project, it's not commercial - the money was a gift, and this applies even if I'm a heavy user of haproxy and also ask you to fix bugs.
Similarly, this is where the carve-out for projects where no single commercial entity has control is coming from; if Google and Facebook both pay developers on a project, but neither Google nor Facebook has overall control, it's out of scope. The only reason this isn't a more general "open source" carve-out is that we want to avoid the situation where Dodgy Products Ltd open-sources all of its code under AGPLv3 (making it "open source"), but refuses to accept outside contributions, and refuses to support any builds other than its own, but escapes liability because it's "open source". On the other hand, something like haproxy where no single company has control is out-of-scope as a project; it comes in scope if you're selling it (either on its own, or as part of a product).
Posted Sep 21, 2023 10:05 UTC (Thu)
by wtarreau (subscriber, #51152)
[Link] (2 responses)
Posted Sep 22, 2023 21:27 UTC (Fri)
by kleptog (subscriber, #1183)
[Link] (1 responses)
Actually, it is fairly black and white. Because it's basically the same calculation that needs to be done to determine if VAT is payable over the amount. If the €10,000 is paid for a patch, there's VAT payable and there must be an invoice. If the €10,000 is a donation there's no VAT. Since VAT is usually around 20% of the amount, there's a lot of case law and rules about these situations because it matters to the tax office. And in practice it's no-where near as grey as you think, because in every transaction the participants agree on the commerciality of the transaction as part of the agreement.
(Note: small businesses may be VAT exempt but that doesn't change the calculations. The invoice then just says "should have VAT but seller is exempt" and there's less paperwork.)
You can actually play around with this in some situations. Someone else made the argument that any organisation accepting money from the EU is commercial, but that all depends. If you get an EU grant for "improving the cybersecurity status of your project" that's non-specific so no VAT. If you get an EU grant for "making a secure and audited version of your project" that's a concrete deliverable and so VAT may be payable. The former wouldn't be commercial, the latter would be. The grant will include a statement clarifying which it is.
The US doesn't have VAT, so this probably sounds very weird to Americans. And possibly even to many Europeans who don't have experience with VAT administration.
Posted Sep 23, 2023 7:12 UTC (Sat)
by Wol (subscriber, #4433)
[Link]
The US has Sales Tax, though, which is although it's a bit different is the same principle (we had the equivalent of Sales Tax before we joined the EU, hence all our "membership wholesaler"-type businesses). When we had Sales Tax, B2B transactions were exempt - VAT is similar in that you pay the taxman the difference between in and out - but B2C transactions were taxed. Likewise VAT is similar - the consumer can't reclaim the VAT.
So, assuming transactions come in three Sales Tax types, ie payable, exempt (eg B2B), and non-applicable, commerciality covers the first two but not the last.
(Membership wholesaler businesses were classed as B2B, but had a fair few B2C type members eg charities, people who used cards on personal businesses, sole traders and partnerships, etc etc, in order to avoid Sales Tax. Part of the reason behind VAT was to close that loophole.)
Cheers,
Posted Sep 21, 2023 12:44 UTC (Thu)
by pizza (subscriber, #46)
[Link] (1 responses)
Does it matter if they approached you first?
Because in the F/OSS context, this "offer of product or services" is little more than "I can add that feature you asked for; it's going to take approximately $hours and I charge $rate." and if they agree, BAM, you're now an EU "manufacturer."
...And once you gain that lofty status, how do you shed yourself of it? I've not done any business with an EU entity in several years, though I'm still ostensibly "in business" in my home (non-EU) jurisdiction. In fact, earlier this week I was helping a gentleman from Germany gather the data I need to hunt down a bug, but no money is expected to change hands.
Posted Sep 21, 2023 13:06 UTC (Thu)
by farnz (subscriber, #17727)
[Link]
Who approaches whom doesn't matter. It's commercial if there's an offer of products or services, followed by an exchange of money; at that point, you're in a commercial transaction, and you are liable for the products or services you've sold.
And you only have that status for products and services sold in a commercial setting. Say I accept €10,000 from you to fix a bug in Linux kernel PPPoE support that affects your ISP; that fix is done as a service (the end product is a patch that applies to a known git tree from Linus). That patch is commercial - I offered to make the fix, you paid me for it. If I then do a later patch to Linux kernel PPPoE support to fix a different bug that affects me, or that adds a feature to kernel PPPoE support, that patch is non-commercial, because I didn't have a commercial relationship with you for that patch.
It gets trickier with a follow-on patch to the one you paid me for - if I supply a second patch that fixes a bug introduced by the patch you paid me for, that patch is considered part of the service you paid for (since it's a follow-up to our previous commercial relationship). But this is something a judge should be able to resolve; was my later patch a part of our existing commercial relationship, or was it a separate non-commercial transaction? A system update from Apple to your iPhone is probably part of the existing commercial relationship you have with Apple; a new app from Apple that's not forcibly installed probably isn't.
The European Cyber Resilience Act
The European Cyber Resilience Act
The European Cyber Resilience Act
The European Cyber Resilience Act
The European Cyber Resilience Act
Wol
The European Cyber Resilience Act
The European Cyber Resilience Act