The article makes it clear that (as the author understands it, at least) someone who uses open source software in their commercial product is liable; the people who wrote the open source code [1] are not.
> If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the ... harm. If open source resources are [used by] your code, you’re responsible for their performance too. *The open source resource licensed away their liability to you*.
(Emphasis mine)
[1] Assuming they used a license that limits liability, such as Apache.
The article is attempting to create a scare about things that have always been true. If a telco's services crash the telco has to compensate customers even if it was a postgres failure that caused it by failing to authorise handsets for a connection in a cell. For example.
The telco has service agreement with customers and it's clear exactly what service it was supposed to do and failed. Where is such agreement for a random github repository? To put it a bit ad absurdum, say user supplies parameter to your math function so that it divides by zero and it results in some injury or loss. Who is liable for that? Shold judge try to parse some piece of code for whether it was reasonable for user to expect passing zero will work?
If you sell a product e.g. a car and the brakes don't work you are liable
If you sell a product e.g. a medical software which calculates and runs your insulin pump and it responds to a division by zero error with injection 1000x the amount of insulin your are liable.
You don't have to focus on the how, only on if it was your product and was sold to a customer.
Who was at fault (product or customer) will be decided in a lawsuit.
If you don't sell anything then these laws don't apply to you, even if the article seems to be unclear about that.[1]
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
Edit: Somebody linked the full EU briefing: https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
On Page 5 there is a passage about how free-of-charge open source software is excluded and also who is liable in a commercial activity:
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
As far as the broader scope of the proposal compared to the existing PLD on liable parties is concerned, Article 7 of the revised PLD lists the types of 'economic operators' which can be held liable for defective products, by introducing a layered approach to liability depending on the different qualification of the economic operator.
Among the list of economic operators are:
(i) the manufacturer of a product or component,
(ii) the provider of a related service, (iii) the authorised representative, (iv) the importer, and (v) the fulfilment service provider or the distributor. The manufacturer should be liable for damage caused by a defect in their product or components. An innovation introduced in the revised PLD is considering any economic operator who has substantially modified the product outside the control of the manufacturer liable for any defect. Such a party is then considered as a manufacturer.
When a manufacturer is established outside the EU, the revised PLD would further attribute liability for a defective product to the importer and the authorised representative in the EU. As a last resort, the fulfilment service provider (offering at least two of: warehousing, packaging, addressing and dispatching of a product, without having ownership of the product), will be held liable when the importer and authorised representative in the EU are based outside the EU.
Distributors of a defective product (offline and online sellers) can also be held liable upon request by a claimant and when the distributor fails to identify any of the above operators.
Online platforms should be liable in respect of a defective product on the same terms as such economic operators when performing the role of manufacturer, importer or distributor.
There's a reference to "Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008", which does not distinguish for-profit activity at all. Just "all poducts on market and all who manufacture and distribute shall conform".
I don't understand why you want to know what the provider is?
For the purpose of liability and open source the definition is that any open source free of charge software is excluded from the proposed changes, so the provider doesn't matter.
This can be seen in the first link,on the third headline bullet point "Not applicable to free-of-charge open-source software" as well as the second paragraph.
The provisional agreement on the liability of economic operators for damage caused by defective products aims to respond to the increase in online shopping (including from outside the EU) and the emergence of new technologies (such as AI) as well as to ensure the transition to a circular economic model. In order not to stifle innovation, the rules will not apply to open-source software developed or supplied outside of a commercial activity.
I also added the the briefing of the proposed EU law with the details
Then somebody linked it in a comment below and then it was fairly easy as I knew what to search for from the short description in the first link.