According to this site they claim that “The Cyber Resilience Act should only apply to free open-source software that is developed or supplied in the course of commercial activity.”

Almost all FOSS development happens as part of a commercial activity.

The most obvious example is of course corporate sponsorship of FOSS projects, but even things like pull requests submitted to FOSS libraries by corporate employees qualify as “develop[ment] in the course of commercial activity”.

Linux is really the big thing I see it applying to and Linux is very Cyber secure, so I don’t really see issues there.

Linux does not and cannot comply with the demands of the Cyber Resilience Act. For example, the Act demands automatic update installation, which within a kernel is infeasible and unsafe. Linux will be illegal in the EU.

Furthermore, no company in its right mind is going to sponsor, or allow its employees to contribute to, any FOSS project if doing so creates the risk of fines. All corporate sponsorship of and contribution to FOSS projects—which, once again, is responsible for almost all FOSS development—will completely and instantly disappear in the EU, severely damaging the worldwide FOSS movement.

Needless to say, this proposal is catastrophically bad.