Document Foundation urges EU to ditch Excel lock-in for cybersecurity law consultation
The Document Foundation has taken a swipe at the European Commission over its consultation on guidance for the EU's Cyber Resilience Act – because the feedback template is only available as a Microsoft Excel spreadsheet.
The nonprofit behind LibreOffice says the Commission's request for stakeholder input, published this week, requires responses to be submitted using a template available only as an .xlsx spreadsheet, a format that is controlled by Microsoft and typically edited using Excel or compatible tools.
For an institution that has spent years promoting open standards, digital sovereignty, and reduced reliance on proprietary technology, that choice sends the wrong signal, the foundation argues.
In a blog post and open letter, the group says the approach creates what it calls a "structural bias" in the consultation process. Anyone wishing to provide structured feedback on the CRA guidance must use a format tied to a single vendor's ecosystem, which risks disadvantaging organizations that operate entirely on open source tools or open document standards, it adds.
"Requiring participants to use this format as the sole vehicle for structured data entry effectively conditions participation in a public consultation on the availability or willingness to use software produced by a single supplier," the letter reads.
The Foundation says the Commission could easily provide the same template in an open format alongside the proprietary one – most obviously the Open Document Format (.ods), an ISO-standard used by LibreOffice and other open source office suites.
This matters, the Foundation says, because the consultation process is supposed to be open to citizens, public bodies, and organizations across Europe, including those that have deliberately adopted open source software in line with EU policy recommendations.
Brussels has repeatedly pushed those very ideas. EU guidance has long nudged public bodies toward open standards and away from vendor lock-in, and the bloc's open source strategy is meant to cut reliance on proprietary platforms. Even the Cyber Resilience Act itself is framed around reducing the risks of opaque technology stacks.
The Document Foundation says asking stakeholders to comment on CRA guidance using a proprietary spreadsheet format undermines the message.
"The Commission's credibility on digital sovereignty, open standards, and vendor-independent infrastructure is undermined … each time its own processes rely exclusively on proprietary formats," the group writes.
The Foundation is now urging other free and open source software projects and advocates to sign a joint letter asking the Commission to provide consultation templates in both proprietary and open formats going forward, or ideally supplement them with a web-based form.
The group's fix is straightforward enough: release the template in both .xlsx and ODF and let people choose what works. If Brussels can't manage that, its crusade against vendor lock-in may end up derailed by a spreadsheet. ®
