* Person A makes OSS project P
* Organisation/Person B uses P
* A vulnerability in P causes financial harm to B
Is person A now liable under this law? What happens if person A has a Patreon or GitHub sponsor page? The latter seems to imply you're being paid for development and so this is now a commercial project?
Or is the requirement that the end user directly pays for the product? In that case this directive would not cover a variety of large objectively commercial products: Chrome, Slack, Java, arguably macOS and iOS (because you get new versions for "free" so the software is "free", right? Apple makes a point of stating its products are the hardware), etc - hence you can't say the "commercial" restriction requires money being exchanged directly for the software, but that gets you back to "does a Patreon, GitHub sponsor, etc mean you're now a commercial developer?"
Again the problem here is the ambiguity, and the massive disparity between revenue and liability. If you make a few hundred (or even a few thousand) a year from sponsorship should you be subject to massive liability because a huge organisation, or a large number of different organizations pick up your project, you could now be liable due to damages the organizations are subject to.
There's a lot of focus in these threads on "company uses your OSS project in products they sell and a a bug impacts their customers" rather than "company uses your OSS project, and a bug causes the company itself harm", e.g. the company is now the end user. To make it even more direct, what would happen if (as some companies do) the companies provide "sponsorships"(or whatever) for the OSS project development, now the company is the end user and they're paying for development and that sounds pretty "commercial".
But also this legislation completely undermines all OSS licenses as they all say the software is distributed without liability or warrantee. The liability restriction is completely neutered, so now contributing to any OSS project requires you to be able to afford a lawyer to determine whether you can do so without acquiring boundless liability, which seems like a sure fire way to immediately price-out the overwhelming majority of OSS contributors from ever contributing to any OSS projects.
[addendum] One other follow on from this would be that if you do have any sponsorship mechanism it would seem you're now liable for bugs in code submitted from other people unless you're paying every contributor for their contributions, specifically to transfer liability. If you don't do that you're acquiring liability for code written by others.
> In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity. This is in particular the case for software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable and redistributable. However where software is supplied in exchange for a price or personal data is used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity, the Directive should apply
Wheather sponsors/patreon means "outside the course of a commercial activity" would likely be for courts to decide. It could mean that you only work on something that is "sponsored"... yeah, that would likely be covered. Getting few euros with no obligations hopefully not. But ultimately, it's a chilling effect, until some court decides.