← Back to context

Comment by stockresearcher

7 months ago

Even if you get past the roadblocks Apple has put in place, it’s not beer and skittles for browser makers in the EU.

The CRA, which is now in effect, lists browsers as class I important products. Technical documentation, design documentation, user documentation, security conformance testing, a declared support period at the time of download, software bill of materials, the legal obligation to respond to and make all your internal documents available to market surveillance organizations, etc.

And if the EU doesn’t publish harmonized development standards by 2027, you will be required to pay a 3rd party to come in and analyze you, your design, and the security of your browser, and make a report to send to the market surveillance organization, who gets to decide if you have the requisite conformance.

Are you sure that anyone but the big boys want to make a browser in the EU?

Here is the law, please point out where I am wrong. Much appreciated :)

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L...

54 comments

stockresearcher

Reply
danbruc  7 months ago

We are not generally used to this in our field but just think about the amount of paperwork you have to go through in order to construct a bridge or an airplane. Browsers have become a critical component and it seem not really unexpected that there will eventually be legal requirements to help to ensure that browsers are safe given the amount of software that runs on top of browsers. And this is also not new, there have been legal requirements for all kinds of software for a long time, you will just not think about those unless you work in an affected area.

  • gruez  7 months ago

    >but just think about the amount of paperwork you have to go through in order to construct a bridge [...]

    Yeah, I do. Guess which industry has seen negative productivity growth in the past 2 decades, even though the broader private sector grew by 50%?

    https://www.economist.com/content-assets/images/20250712_WBC...

    • paulryanrogers  7 months ago

      Could it be fundamentals are different when you're building physical buildings vs software that's eating the private sector? (Among other factors.)

  • dmitrygr  7 months ago

    Are you seriously suggesting that becoming more regulated like bridge/building builders is GOOD for software?

    You sure you are ready to freeze all innovation forever? Cause there is a well documented inverse relationship between regulation and innovation. (Small teams cannot afford compliance officers and other such dross. Big ones do move fast, and, without competition from the smells, do not need to)

    • account42  7 months ago

      For software used by regular people who do not know anything about software and shouldn't have to, used to manage their banking, do their taxes and other things that they need to be able to do online these days? Yes.

      1 reply →

  • Seattle3503  7 months ago

    How will regulations on browsers make us safer though?

    • isomorphic  7 months ago

      Right. Define "safe."

      Personally I consider Chrome to be one of the least-safe browsers available, because it sends my data to Google. Also it perpetuates a monoculture. However, others may define "safe" differently, excluding such considerations.

    • troupo  7 months ago

      By making their implementors responsible for implementation and safety errors, presumably. See every other engineering profession and business

  • beeflet  7 months ago

    Curious then that this safety regulation should apply only to browsers on iOS and not every other type of app distributed.

op00to  7 months ago

Holy cow, they’re serious:

Penalties:

• Up to €15 million or 2.5 % of global turnover for essential requirement failures.

• €10 million or 2 % turnover for other obligations.

• €5 million or 1 % turnover for misleading or incomplete documents

On the one hand, these are important standards. On the other, it seems impossible for small shops to adhere to a lot of this.

  • poisonborz  7 months ago

    Watch them not enforce this at all whenever they need something from the US, like how they delayed (and afaik still do) heavy Google/Meta/Apple fines for DMA. Laws don't matter, only enforcement. See TikTok ban.

    • swat535  7 months ago

      This is the biggeest issue that techies on HN don't understand.

      These tech giants are essentially extensions of the United State's government now and fining them or imposing restrictions isn't as simple as fining any corporation due to the geopolitics at play.

      The long term solution is for EU to decouple its reliance on American technology. Anything else is a bandaid IMO.

      2 replies →

  • FirmwareBurner  7 months ago

    Hear me out, I have a tinfoil hat theory. What if, those requirements weren't put to help small shops making a new browser, but to guarantee the big shops who already have a browser are getting fined? *hits bong*

    • gjsman-1000  7 months ago

      And this is why the EU's GDP versus the US is now only 65% and shrinking. The regulations are about beating US companies into compliance, sometimes with righteous motives; but there's no forethought on how a domestic EU startup might be able to comply, or how a startup would convince investors to take the gamble.

      23 replies →

hungmung  7 months ago

Can somebody tell me if this applies to FOSS browsers?

  • paisawalla  7 months ago

    Someone will need to establish an entity to bring a distributable version of that browser to an app store, and in doing so, taking on the compliance liability.

    • krzyk  7 months ago

      Doesn't Firefox already have it? Or the requirements for Apple store different from Google in EU?

GGByron  7 months ago

> "Are you sure that anyone but the big boys want to make a browser in the EU?"

Surely that's the point - a collusive oligopoly making end runs around the "free market". Just look at all the other replies, rich with apologia.

dns_snek  7 months ago

As usual this is a panicked overreaction. No, startups won't be fined out of existence by the iron fist of regulators who despise innovation.

> (93) In relation to microenterprises and small enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without affecting the level of cybersecurity protection [...] It is therefore appropriate for the Commission to establish a simplified technical documentation form targeted at the needs of microenterprises and small enterprises. [...] In doing so, the form would contribute to alleviating the administrative compliance burden by providing the enterprises concerned with legal certainty about the extent and detail of information to be provided. [...]

> (96) In order to ensure proportionality, conformity assessment bodies, when setting the fees for conformity assessment procedures, should take into account the specific interests and needs of microenterprises and small and medium-sized enterprises, including start-ups. In particular, conformity assessment bodies should apply the relevant examination procedure and tests provided for in this Regulation only where appropriate and following a risk-based approach

> (97) The objectives of regulatory sandboxes should be to foster innovation and competitiveness for businesses by establishing controlled testing environments before the placing on the market of products with digital elements. Regulatory sandboxes should contribute to improve legal certainty for all actors that fall within the scope of this Regulation and facilitate and accelerate access to the Union market for products with digital elements, in particular when provided by microenterprises and small enterprises, including start-ups.

> (118) [...] specify the simplified documentation form targeted at the needs of microenterprises and small enterprises, and decide on corrective or restrictive measures at Union level in exceptional circumstances which justify an immediate intervention [...]

> (120) [...] When deciding on the amount of the administrative fine in each individual case, all relevant circumstances of the specific situation should be taken into account [...], including whether the manufacturer is a microenterprise or a small or medium-sized enterprise, including a start-up [...]. Given that administrative fines do not apply to microenterprises or small enterprises for a failure to meet the 24-hour deadline for the early warning notification of actively exploited vulnerabilities or severe incidents having an impact on the security of the product with digital elements, nor to open-source software stewards for any infringement of this Regulation, and subject to the principle that penalties should be effective, proportionate and dissuasive, Member States should not impose other kinds of penalties with pecuniary character on those entities.

  • stockresearcher  7 months ago

    I have two comments:

    First, I believe that you are correct in that small enterprises are not going to be fined out of existence (unless they continually fail to adhere to CRA requirements). The issue is that if you want to make a browser in the EU, you have to be extremely serious about it.

    Second, you are quoting from the section of the act that the EU uses to lay out their reasoning, justification, and thought process. This section is not legally binding. The actual text (page ~28 and beyond in the linked document) is what controls. We have seen from DMA enforcement in regard to Apple that the EC does not consider conflicts between the two sections to be important.

    • gpm  7 months ago

      > The issue is that if you want to make a browser in the EU, you have to be extremely serious about it.

      The current browser vendors have made the web so complex that this is already the case regardless of what laws do or do not impose. It's simply too large a project to implement one for any non-serious project to succeed (as evidenced by the fact that we haven't got a new browser since... Chrome. Microsoft edge sort of I guess but that project was abandoned and they moved to chrome).

      1 reply →

    • danaris  7 months ago

      > if you want to make a browser in the EU, you have to be extremely serious about it.

      Why is this a problem?

      No, really; why is it a bad thing that if you want to create a complete new browser, you have to actually be serious and committed to it?

      A web browser is a pretty significant piece of software, and it sits between you and the entire web. You do your banking through it. You access your email through it. You book flights through it.

      If the browser is badly constructed or malicious, any of these very vital functions can fail in unpredictable ways, be compromised by unknown third parties, or even be deliberately intercepted by the browser itself.

      Here in the US, and especially for tech people like us, we're used to thinking of software as a complete free-for-all: anyone can make anything they want, and anyone must be allowed to make anything they want! That's what Freedom means!

      But that kind of freedom can have pretty serious consequences if it's treated without respect or abused. Frankly, I'm glad to see the EU starting to put some genuine safeguards in place for the people who have to use the software we make, to ensure that we can't just foist off crap on them and when they get their identity stolen because of our negligence, just say "lol too bad, Not Guaranteed Fit For Any Purpose, deal with it".

      4 replies →