Re: [open-regulatory-compliance] European Commission informal CRA consul

[Tobie Langel <tobie@xxxxxxxxxxxxxx>]

Hi again,

I've fixed document access (again). Everyone should be able to comment or make suggestions without a google account. Those who signed-up for this topic through the survey and have a google account should have edit access. If you want edit access just request it directly through a doc or email me.

Thanks for your patience,

--tobie

On Sun, Jun 30, 2024 at 4:33 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

Thanks Greg,

LMK if you need write access to any of the documents.

--tobie

On Sun, Jun 30, 2024 at 4:08 PM Greg Wallace <greg@xxxxxxxxxxxxxxxxxxxxx> wrote:

thank you Tobie!

I will be joining the operating systems consultation and am happy to take notes.

Greg

FreeBSD Foundation

On Sun, Jun 30, 2024 at 10:06 AM Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Someone reached out privately to ask why their category of software wasn't part of those initial consultations.

I'll share the answer here because I'm sure others are wondering about this too. (As a side note, feel free to ask questions directly to the mailing list. You'll get an answer faster, usually from someone much more knowledgeable than me, and everyone gets to learn from your question. There are no stupid questions; we're all trying to figure this out as we go, so don't feel bad for not knowing something.)

Now the answer to the question: the CRA categorises a subset of products as "Important" or "Critical". These products will have to go through a stricter conformity assessment because the impact of a vulnerability or security issue would have greater consequences. Product categories which aren't listed in Annex III and IV or the CRA aren't considered as "Important" or "Critical" and so won't be part of those initial consultations. It doesn't mean they'll be exempt, they'll just be subject to the regular conformity assessment not a stricter version.

You might still be interested in joining some calls about adjacent topics, but you shouldn't be directly impacted by these stricter conformity requirements if your product category isn't listed here. Also, these stricter requirements are for manufacturers, not open source stewards.

Hope this is helpful!

--tobie

---
Tobie Langel
Tech Lead Open Regulatory Compliance WG, Eclipse Foundation
Principal, UnlockOpen

On Sun, Jun 30, 2024 at 3:32 PM Tobie Langel <tobie@xxxxxxxxxxxxxx> wrote:

Thanks for the feedback, Marta. This is super helpful.

All, I created calendar events for each consultation and added them to our community calendar:
https://calendar.google.com/calendar/u/0/embed?src="">

Also available in iCal format: https://calendar.google.com/calendar/ical/c_7db8e3f13c4fac984103918a97c704bb1d619da0fdb66d33f1747849b6020aea%40group.calendar.google.com/public/basic.ics

--tobie

On Sun, Jun 30, 2024 at 2:35 PM Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Hello all,

I attended calls on Wednesday last week and here are my general notes (will put more detail on each specific subject in the documents linked by Toby). This is a kind of "what I wanted to know before I attended" message.

Of course, those are my personal notes and there might be errors.

Goal: the goal of those meetings is to discuss definitions of the categories of products on the list of important and critical products with digital elements of the CRA. There is one meeting per product category. There was a call about VPNs, and a separate one on "boot managers", and so on. It seems that there's pressure on them to come with the definitions as soon as possible. They want to collect materials and then publish definition proposals "after summer". During that second consultation period, they will be asking for written feedback.

What does one of such meetings look like: it is an informal discussion. It starts with an introduction part, the same for all calls, with the  reminder of the goals of the CRA and types of products (FOSS is listed separately). The Commission people present definitions they have found elsewhere (with the help of ENISA) and ask for comments or suggestions. I classify the discussions as rich and highly technical.

The number of attendees varied from around 30 to more than 60. Not everyone did talk. You raise your hand "virtually" and can comment verbally or in the chat.

There is no recording (on purpose) and they don't share their slides (also on purpose). They clearly say that those definitions are for discussion purposes only. There will be no written summary.

They have not promised to take any specific feedback into account, they were taking notes of the questions and suggestions.

FAQ from the calls I attended

1. What if a product has a function that is on the important/critical list or it is having multiple functions on a list?

It must be the main function of the product to put it on the list. If a product just has a function, but the main function is different, this is the categorisation of the main function that applies.

2. What about FOSS?

FOSS is self-assessment, except for critical products.

3. What about products on the important/critical list that include FOSS components?

The manufacturers will have to do due diligence.

4. What are the 3 years transition periods when the standards will be known 2 years in it and leave 1 year for manufacturers?

This one was asked in various forms in all the calls I attended. The rough answer is: there is much to do to create standards.

5. Can we change the names of categories?

No, they can't be changed anymore. Definitions can cover the part of the functionality that makes sense from the security point of view.

Kind regards,

Marta

On Fri, Jun 28, 2024 at 4:02 PM Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

Following up on my previous email, I've set up a discussion topic to help us coordinate within the ORC WG and work effectively with OpenForum Europe (who is also tracking these calls): https://gitlab.eclipse.org/eclipse-wg/open-regulatory-compliance-wg/cra-topics/-/tree/main/topics/prod-defs

Additionally, I created a spreadsheet to coordinate our efforts: https://docs.google.com/spreadsheets/d/1tVEd8A_Bk3k-QBS8CoiHxurYy_IvqcVmL5M2dgayuUg/edit?gid=0#gid=0

I also generated a google doc (I know!) for each individual consultation that can be used as a scratchpad before and during the call. The idea is to move the finalized meeting notes into GitLab (I can help with this). The scratchpads are linked directly from the coordination spreadsheet.

I gave editing permission to everyone who signed-up for this topic via the survey and who has a Google account linked to the email they shared. Everyone else has the ability to comment. Feel free to request editing permission if you would like to participate and didn't get access.

Hopefully, this setup won't be too cumbersome to use and will help us coordinate. If you're unhappy with it, feel free to rely on the mailing list instead, and I'll do my best to update the docs and GitLab accordingly.

Comments and suggestions on how to improve this workflow are more than welcomed.

TL;DR

If you're planning to join a CRA consultation call, add your name to the spreadsheet (https://docs.google.com/spreadsheets/d/1tVEd8A_Bk3k-QBS8CoiHxurYy_IvqcVmL5M2dgayuUg/edit?gid=0#gid=0) and don't forget to register (https://ec.europa.eu/eusurvey/runner/CRAconsultations).

Thanks,

--tobie

---

Tobie Langel

Tech Lead Open Regulatory Compliance WG, Eclipse Foundation

Principal, UnlockOpen

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org