Technology

EU Cyber Rules in Peril? LibreOffice's Stunning Rebuke of Commission's "Do as I Say, Not as I Do" Stance

Q: Why is the Cyber Resilience Act (CRA) so significant in this context?

The CRA is landmark EU cybersecurity legislation. The Commission ignoring its own interpretive guidances undermines the law's authority and creates uncertainty for all entities, especially open-source projects, trying to comply.

Q: What are the potential consequences if the Commission ignores this request?

It would damage EU regulatory credibility, potentially chill open-source community engagement, invite legal challenges, and weaken the moral authority to enforce the CRA on private companies.

Q: How does this conflict affect the average user or business relying on LibreOffice?

Short-term impact is minimal, but long-term, it could slow public sector adoption of open-source software, reducing market validation and potential support for projects like LibreOffice, indirectly affecting all users.

Published: March 9, 2026 | Analysis & Policy

Analysis Summary: In an unprecedented move that strikes at the heart of European digital sovereignty, The Document Foundation—the non-profit behind the world's leading free office suite, LibreOffice—has publicly called out the European Commission for failing to adhere to its own landmark Cyber Resilience Act (CRA) guidances. This formal request, issued on March 5, 2026, represents more than bureaucratic disagreement; it is a critical stress test for the EU's credibility as a regulator of the digital ecosystem it seeks to shape.

Key Takeaways

Direct Challenge: The Document Foundation has formally requested the European Commission to align its own software procurement and practices with the CRA's "guidances" it issued to the public and industry.
Core Principle at Stake: The confrontation centers on the fundamental principle of fairness and the Commission's role as a "model user," not just a rule-maker.
Open-Source Implications: The outcome will significantly impact the perception and practical treatment of open-source software within the EU's regulatory and procurement framework.
Regulatory Credibility: This incident questions whether the EU can enforce its ambitious digital legislation without first ensuring its own house is in order.
Global Ripple Effect: As a global regulatory trendsetter, the EU's handling of this internal contradiction will be closely watched by other governments worldwide.

Top Questions & Answers Regarding the LibreOffice vs. EU Commission Dispute

What exactly is the European Commission being accused of by The Document Foundation?

The Document Foundation alleges that the European Commission, in its role as a software user and procurer, is not following the very "guidances" it published to help others comply with the Cyber Resilience Act (CRA). While the Commission has created rules and guidance for manufacturers and the market, it appears not to be applying the same "model user" principles to its own internal IT practices and procurement decisions related to software like LibreOffice. This creates a "do as I say, not as I do" perception.

Why is the Cyber Resilience Act (CRA) so significant in this context?

The CRA is landmark EU legislation designed to mandate cybersecurity throughout a product's lifecycle. Its "guidances" are interpretive documents meant to clarify how the law should be implemented. By potentially ignoring its own guidances, the Commission undermines the law's authority and creates uncertainty for all entities—especially open-source projects—trying to comply. It suggests a gap between regulatory theory and institutional practice.

What are the potential consequences if the Commission ignores this request?

Ignoring the request would damage the EU's credibility as a fair digital regulator, potentially chilling engagement from the open-source community. It could lead to increased legal challenges against EU digital rules and weaken the Commission's moral authority to enforce the CRA on private companies. For the open-source ecosystem, it could signal that the EU's commitment to open-source in policy (like the Open Source Software Strategy) is not matched by its procurement actions.

How does this conflict affect the average user or business relying on LibreOffice?

In the short term, very little. LibreOffice development continues independently. However, the long-term implications are profound. If the EU, a major administrative body, deprioritizes open-source software in its own operations due to misapplied regulations, it could slow broader public sector adoption. This reduces market validation and potential funding streams for open-source projects, indirectly affecting the pace of innovation and support available to all users.

Is this just about LibreOffice, or is it a larger issue for open-source software?

This is a seminal case for the entire open-source ecosystem. LibreOffice is a high-profile, widely used project. The precedent set here will influence how other EU institutions and member state governments interpret CRA compliance for open-source software. A negative outcome could impose undue bureaucratic burdens on open-source contributors, while a positive one could solidify open-source as a trusted, compliant pillar of the EU's digital autonomy.

A Clash of Principles: Regulatory Power vs. Exemplary Conduct

The heart of this dispute is a classic problem of governance: the regulator that fails to subject itself to the spirit of its own rules. The European Commission has positioned itself as a global digital rule-maker, with the CRA following the GDPR and Digital Markets Act as a centerpiece of its "Europe Fit for the Digital Age" agenda. The Act's guidances are not law, but they represent the Commission's official interpretation of how to comply with the law. For the Commission to allegedly disregard these interpretations in its own operations is perceived as a fundamental breach of good faith.

This incident did not occur in a vacuum. It follows years of advocacy by the open-source community for fair treatment under EU regulations. The CRA, while aimed at improving security, initially raised alarms for potentially imposing manufacturer-like liabilities on non-commercial open-source contributors. The final text and subsequent guidances attempted to address these concerns, offering clarifications and a more tailored approach. The Document Foundation's request is, in essence, a test of whether those clarifications have any tangible meaning in the Commission's own backyard.

Historical Context: The EU's Ambivalent Dance with Open Source

The European Union has a long, complex relationship with open-source software. On one hand, it has issued strategies praising open source as a driver of innovation and digital sovereignty. The Commission's own "Open Source Software Strategy 2020-2023" explicitly aimed to increase internal use and contribution. Landmark projects like the public money, public code initiative have significant political support.

On the other hand, the practical reality of procurement and risk-averse administrative culture has often favored proprietary solutions. Legacy systems, perceived support guarantees, and lobbying exert powerful gravitational pull. This creates a policy dissonance: public advocacy for open source coupled with private procurement habits that undermine it. The current conflict over CRA guidances brings this dissonance into sharp, public relief, challenging the Commission to align its actions with its rhetoric.

Three Analytical Angles on the Standoff

1. The "Model User" Doctrine and Its Collapse

Effective regulation often relies on the regulator acting as a "model user" or exemplar. This doctrine holds that by adhering to its own standards, a regulatory body legitimizes those standards and encourages voluntary compliance. The Commission's apparent failure to follow its CRA guidances fatally undermines this doctrine. It sends a signal to the market that the guidances may be optional or less serious than presented, potentially leading to fragmented compliance and a "lowest common denominator" approach to cybersecurity across Europe.

2. The Bureaucratic Blind Spot: Regulating Others vs. Governing Oneself

Large institutions are notoriously skilled at creating rules for external entities while maintaining internal exceptions. This blind spot is a well-documented organizational pathology. The Commission, as a massive administrative apparatus, is not immune. The LibreOffice request forces a necessary introspection: Can the DG for Communications Networks, Content and Technology (DG CONNECT) effectively enforce the CRA if the Commission's own Directorate-General for Informatics (DIGIT) isn't fully on board with the guidances? This internal alignment is now a matter of public scrutiny.

3. Open Source as a Litmus Test for Digital Sovereignty

The EU's quest for "digital sovereignty" — reducing dependency on foreign tech giants — is a stated geopolitical priority. Genuine digital sovereignty is impossible without a thriving, trusted, and utilized open-source ecosystem. How the Commission treats a flagship European open-source project like LibreOffice is a litmus test for the seriousness of this ambition. If it cannot fairly integrate such projects into its own secure digital environment under its own rules, its broader sovereignty strategy appears theoretical, not operational.

Broader Implications and the Road Ahead

The Document Foundation's move is strategically astute. It is not a legal challenge but a public, principled request that puts the Commission in a bind. Ignoring it invites accusations of hypocrisy and damages the EU's soft power in tech governance. Addressing it seriously would require internal changes and set a powerful precedent for other EU institutions and member states.

The coming weeks will be telling. The Commission's response (or lack thereof) will be parsed for nuance. A formal, constructive engagement could strengthen the CRA's legitimacy and bolster the EU's partnership with the open-source community. A dismissal or opaque bureaucratic response would likely escalate the conflict, potentially leading to formal appeals or increased political pressure from the European Parliament, which has historically been more supportive of open source.

Beyond Brussels, this case is a cautionary tale for governments worldwide crafting cybersecurity regulations. It highlights the critical need for regulatory self-application and the unique considerations required for open-source sustainability. The world is watching to see if the EU can practice what it preaches, or if its ambitious digital rulebook will be undermined by its first, and most prominent, institutional test.

Final Analysis: This is not merely a technical dispute over software procurement. It is a pivotal moment for the integrity of the EU's digital regulatory project. The LibreOffice request holds up a mirror to the European Commission, asking it to see the gap between its rule-making and its operational reality. How the Commission chooses to respond will define its credibility as a digital leader for years to come and determine whether open-source software will be a true partner in Europe's digital future, or merely a policy footnote.