Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] European Commission informal CRA consultations on the definition of Critical and Important products

Thanks for the feedback, Marta. This is super helpful.

All, I created calendar events for each consultation and added them to our community calendar:
https://calendar.google.com/calendar/u/0/embed?src="">

Also available in iCal format: https://calendar.google.com/calendar/ical/c_7db8e3f13c4fac984103918a97c704bb1d619da0fdb66d33f1747849b6020aea%40group.calendar.google.com/public/basic.ics

--tobie

On Sun, Jun 30, 2024 at 2:35 PM Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hello all,
I attended calls on Wednesday last week and here are my general notes (will put more detail on each specific subject in the documents linked by Toby). This is a kind of "what I wanted to know before I attended" message.

Of course, those are my personal notes and there might be errors.

Goal: the goal of those meetings is to discuss definitions of the categories of products on the list of important and critical products with digital elements of the CRA. There is one meeting per product category. There was a call about VPNs, and a separate one on "boot managers", and so on. It seems that there's pressure on them to come with the definitions as soon as possible. They want to collect materials and then publish definition proposals "after summer". During that second consultation period, they will be asking for written feedback.

What does one of such meetings look like: it is an informal discussion. It starts with an introduction part, the same for all calls, with the  reminder of the goals of the CRA and types of products (FOSS is listed separately). The Commission people present definitions they have found elsewhere (with the help of ENISA) and ask for comments or suggestions. I classify the discussions as rich and highly technical.

The number of attendees varied from around 30 to more than 60. Not everyone did talk. You raise your hand "virtually" and can comment verbally or in the chat.

There is no recording (on purpose) and they don't share their slides (also on purpose). They clearly say that those definitions are for discussion purposes only. There will be no written summary.

They have not promised to take any specific feedback into account, they were taking notes of the questions and suggestions.



FAQ from the calls I attended

1. What if a product has a function that is on the important/critical list or it is having multiple functions on a list?

It must be the main function of the product to put it on the list. If a product just has a function, but the main function is different, this is the categorisation of the main function that applies.

2. What about FOSS?

FOSS is self-assessment, except for critical products.

3. What about products on the important/critical list that include FOSS components?

The manufacturers will have to do due diligence.

4. What are the 3 years transition periods when the standards will be known 2 years in it and leave 1 year for manufacturers?

This one was asked in various forms in all the calls I attended. The rough answer is: there is much to do to create standards.

5. Can we change the names of categories?

No, they can't be changed anymore. Definitions can cover the part of the functionality that makes sense from the security point of view.

Kind regards,
Marta


On Fri, Jun 28, 2024 at 4:02 PM Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi all,

Following up on my previous email, I've set up a discussion topic to help us coordinate within the ORC WG and work effectively with OpenForum Europe (who is also tracking these calls): https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/tree/main/topics/prod-defs


I also generated a google doc (I know!) for each individual consultation that can be used as a scratchpad before and during the call. The idea is to move the finalized meeting notes into GitLab (I can help with this). The scratchpads are linked directly from the coordination spreadsheet.

I gave editing permission to everyone who signed-up for this topic via the survey and who has a Google account linked to the email they shared. Everyone else has the ability to comment. Feel free to request editing permission if you would like to participate and didn't get access.

Hopefully, this setup won't be too cumbersome to use and will help us coordinate. If you're unhappy with it, feel free to rely on the mailing list instead, and I'll do my best to update the docs and GitLab accordingly.

Comments and suggestions on how to improve this workflow are more than welcomed.

TL;DR
If you're planning to join a CRA consultation call, add your name to the spreadsheet (https://docs.google.com/spreadsheets/d/1tVEd8A_Bk3k-QBS8CoiHxurYy_IvqcVmL5M2dgayuUg/edit?gid=0#gid=0) and don't forget to register (https://ec.europa.eu/eusurvey/runner/CRAconsultations).

Thanks,

--tobie

---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top