Re: [open-regulatory-compliance] European Commission informal CRA consul

[Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>]

On 30 Jun 2024, at 14:35, Marta Rybczynska via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

> I attended calls on Wednesday last week and here are my general notes (will put more detail on each specific subject in the documents linked by Toby). This is a kind of "what I wanted to know before I attended" message.
> 
> Of course, those are my personal notes and there might be errors.
> 
> Goal: the goal of those meetings is to discuss definitions of the categories of products on the list of important and critical products with digital elements of the CRA. There is one meeting per product category. There was a call about VPNs, and a separate one on "boot managers", and so on. It seems that there's pressure on them to come with the definitions as soon as possible. They want to collect materials and then publish definition proposals "after summer". During that second consultation period, they will be asking for written feedback.
> 
> What does one of such meetings look like: it is an informal discussion. It starts with an introduction part, the same for all calls, with the  reminder of the goals of the CRA and types of products (FOSS is listed separately). The Commission people present definitions they have found elsewhere (with the help of ENISA) and ask for comments or suggestions. I classify the discussions as rich and highly technical.
> 
> The number of attendees varied from around 30 to more than 60. Not everyone did talk. You raise your hand "virtually" and can comment verbally or in the chat.
> 
> There is no recording (on purpose) and they don't share their slides (also on purpose). They clearly say that those definitions are for discussion purposes only. There will be no written summary.
> 
> They have not promised to take any specific feedback into account, they were taking notes of the questions and suggestions.
> 
> 
> 
> FAQ from the calls I attended
> 
> 1. What if a product has a function that is on the important/critical list or it is having multiple functions on a list?
> 
> It must be the main function of the product to put it on the list. If a product just has a function, but the main function is different, this is the categorisation of the main function that applies.
> 
> 2. What about FOSS?
> 
> FOSS is self-assessment, except for critical products.
> 
> 3. What about products on the important/critical list that include FOSS components?
> 
> The manufacturers will have to do due diligence.
> 
> 4. What are the 3 years transition periods when the standards will be known 2 years in it and leave 1 year for manufacturers?
> 
> This one was asked in various forms in all the calls I attended. The rough answer is: there is much to do to create standards.
> 
> 5. Can we change the names of categories?
> 
> No, they can't be changed anymore. Definitions can cover the part of the functionality that makes sense from the security point of view.

Splendid summary - and nicely summarised all the calls I’ve been on. One other thing to add to point ‘5’ — it appears that technical experts where not in the room when the `labels’ of categories where tweaked by policy-makers/politicians. So categories such as ‘physical and virtual network interfaces’ are somewhat happenstance; with key EC staff not actually being able to say what it means. Other than `that is what we’ve been given to work with’ from the Parliament & Council.

Dw