The open source community suddenly discovers the “yes but we didn’t mean like that”-effect…

• While proprietary software is developed behind closed doors, Free Software development is done in the open, transparent for everyone. To retain parity with proprietary software the open development process needs to be entirely exempt from CRA requirements, just as the development of software in private is. A “making available on the market” can only be considered after development is finished and the software is released.
• Even if only “commercial activities” are in the scope of CRA, the Free Software community – and as a consequence, everybody – will lose a lot of small projects. CRA will force many small enterprises and most probably all self employed developers out of business because they simply cannot fulfill the requirements imposed by CRA. Debian and other Linux distributions depend on their work. If accepted as it is, CRA will undermine not only an established community but also a thriving market. CRA needs an exemption for small businesses and, at the very least, solo-entrepreneurs.

https://bits.debian.org/2023/12/debian-statement-cyber-resillience-act.md.html