It doesn’t seem to be voluntary at all, from what I can tell from the draft:

“Upon that notification, the provider shall, in cooperation with the EU Centre pursuant to Article 50(1a), take the necessary measures to effectively contribute to the development of the relevant technologies to mitigate the risk of child sexual abuse identified on their services. […]”

“In order to prevent and combat online child sexual abuse effectively, providers of hosting services and providers of publicly available interpersonal communications services should take all reasonable measures to mitigate the risk of their services being misused for such abuse […]”

These quote sound mandatory, not voluntary. And let’s look what these technologies referenced are:

“In order to facilitate the providers’ voluntary activities under Regulation (EU) 2021/1232 compliance with the detection obligations, the EU Centre should make available to providers detection technologies […]”

“The EU Centre should provide reliable information on which activities can reasonably be considered to constitute online child sexual abuse, so as to enable the detection […] Therefore, the EU Centre should generate accurate and reliable indicators,[…] These indicators should allow technologies to detect the dissemination of either the same material (known material) or of different new child sexual abuse material (new material), […]”

Oops, it sounds again like mandatory scanning.

Source: https://cdn.netzpolitik.org/wp-upload/2025/11/2025-11-06_Council_Presidency_LEWP_CSA-R_Presidency-compromise-texts_14092.pdf

The new draft seems to pretend better to look less mandatory, but it still looks mandatory to me. Feel free to correct me if somebody can figure out that I’m wrong.

I continue to believe the risk is real and supported by my links and quotes. You might notice some people in the linked discussions who seem to be thinking it’s not entirely baseless. You’re free to disagree. I’m not a lawyer anyway.

I will stop discussing since suddenly this is about “normal” and I guess “abnormal” donations, and I don’t think we’re having a clear-headed debate here.

Did you actually read the quote I gave? I’m honestly confused.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402847

Supply in the course of a commercial activity might be characterised not only by charging a price for a product with digital elements, but also by charging a price for technical support services where this does not serve only the recuperation of actual costs, by an intention to monetise, for instance by providing a software platform through which the manufacturer monetises other services, by requiring as a condition for use the processing of personal data for reasons other than exclusively for improving the security, compatibility or interoperability of the software, or by accepting donations exceeding the costs associated with the design, development and provision of a product with digital elements

TL;DR, just donations can already be a problem, apparently. But IANAL.

As far as I understand the license doesn’t matter at all for EU regulation, other than “non-free” software is treated even worse.

Generally if you give something away for free, you can’t be claimed to be the owner.

The CRA from what I can tell applies to software given away for free, sadly. I’m not a lawyer, though. But you can perhaps see why people don’t trust the EU.

I admit it’s a complex topic, but if you read the post in detail, it should answer your questions. The “owner” is typically the maintainer, if in doubt that’s the person with repository write access. And the EU can apparently potentially require whatever to be maintained, not that I understand the exact details. The point was that the regulation doesn’t seem to avoid FOSS fallout well.

The EU has been so far bad at making sure FOSS isn’t seen as a paid product in the eyes of regulation, even in cases where it’s clearly unpaid, see here. They can’t be trusted to get this differentiation right.

Therefore, unlockable bootloader seems like the better idea. Get people to Linux and open Android variants if the closed-source companies won’t serve them.

Often it is respected, but the resulting problem is platforms conflate things with the questionable AI scraping crawlers to blackmail websites into participating in feeding AI.

For example, Googlebot if enabled won’t just list you for search, but will also scrape your contents for Google’s AI. Edit: see https://arstechnica.com/tech-policy/2025/07/cloudflare-wants-google-to-change-its-ai-search-crawling-google-likely-wont/ as source. I imagine LinkedinBot, given it’s microsoft, will feed some other AI of theirs as well on top of the previews.

Until regulation steps in to require AI bots to separately ask for crawling permission, or to actually get a proper license for reuse of the contents, this situation isn’t going to improve.