Hi Marta,
you’re right, it is upon the “core functionality” of the product to be in the category. If a manufacturer of a industrial control device like a PLC integrates
an operating system, the operating system itself is in the list of Annex III and therefore is an important product. The PLC’s core functionality is to control industrial processes (IACS – Industrial Automation and Control Systems – was in the list but then
was deleted in the Trilogue). That is currently not in the list and therefore the PLC is not an important product. I draw this up below.
“Core Functionality”
Source: Recital 45, EU Cyber Resilience Act
“Important products with digital elements referred to in this Regulation should be understood as products which have the
core functionality of a category of important products with digital elements that is set out in this Regulation.
For example, this Regulation sets out categories of important products with digital elements which are defined by their core functionality as firewalls or intrusion
detection or prevention systems in class II. As a result, firewalls and intrusion detection or prevention systems are subject to mandatory third-party conformity assessment. This is not the case for other products with digital elements not categorised as important
products with digital elements which may integrate firewalls or intrusion detection or prevention systems. The Commission should adopt an implementing act to specify the technical description of the categories of important products with digital elements that
fall under classes I and II as set out in this Regulation.”
Additionally, you should look at
"No Inheritance"
Source: Article 7 (1), EU Cyber Resilience Act
“Products with digital elements which have the
core functionality of a product category set out in
Annex III shall be considered to be important products with digital elements and shall be subject
to the conformity assessment procedures referred to in Article 32(2) and (3). The integration of a
product with digital elements which has the core functionality of a product category set out in
Annex III shall not in itself render the product in which it is integrated subject to the
conformity assessment procedures referred to in Article 32(2) and (3).”
Mit den besten Grüßen,
Steffen Zimmermann
Industrial Security @ VDMA
Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx>
Im Auftrag von Marta Rybczynska via open-regulatory-compliance
Gesendet: Montag, 1. Juli 2024 09:42
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)
As I read it (and what was said in the calls), the functionality on the "important" list needs to be the main function. If those are plugins, I would assume you will need to follow processes/do evaluation only of those plugins, but not
the rest of the framework. I think clarifying such cases will be important in the standardization work...
So I'm not really looking for an analysis of when open source will work in terms of attitudes, terminology or economics, but what the legal implications of CRA are on these communities and related entities.
FWIW I position myself as a key player in stewarding CiviCRM but not of Wordpress, Drupal or Joomla. In reviewing the materials so far I realized that my micro-enterprise has done a couple of Drupal / CiviCRM projects whose primary function
likely means thet constitute "Identity management systems and privileged access management software and hardware, including authentication and access
control readers, including biometric readers" . I don't think the market for these CMS edge cases would justify significant changes in Drupal or WordPress development practices. But I am not yet knowledgeable about what the extra burden is for a Class I software
project compared to a non-important one, and how much our communities may already have implemented the extra required processes.
Joe Murray, PhD
President, JMA Consulting
On 30 Jun 2024, at 19:58, Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx> wrote:
Yes, it would be necessary for the implementor to either not propose the use if the projects they are proposing are not conforming or do the work to help bring them into conformity. That would be the open source way. My concern is with
implementations that are edge cases for the main project. My sense is it may be difficult to get them to adopt the stricter rigour if the great majority of use cases are not requiring it.
Well - the second it is a ’them’ rather than the collective `us' of the community that maintains the open source it is IMHO game over. It is then every downstream manufacturer for themselves; and take on the full burden of bringing things
into conformity.
Open source only caters for the ‘us’. The them is happenstance — but is not part of the feedback loop that gives the win-win for the ‘us’ on the open source side. That needs self-interested contributions.
So it is only the narrow case, I think, of enough of the open source community caring about conformity, that a part of it can be done in that open source community (even though it may not actually be strictly a part of the tasks that the
governance of the open source steward sees on).
On 30 Jun 2024, at 18:51, Tobie Langel via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Joe Murray asks this really interesting question in a separate thread (see below for the full email): do the stricter conformity assessment of products categorised as Important or Critical impact their open source dependencies?
Of course, the burden of conformance falls on manufacturers, but can we imagine a situation where some open source projects allow manufacturers to meet the baseline requirements but not the stricter ones while others allow for both?
I would expect this to butt up against a fundamental open source tenet (e.g. 6, 8 and 10 in https://opensource.org/definition-annotated) about not trying to rule
over your grave / downstream use. Because, as we have learned in the last 35+ years — the second you do this is the second you have subtle backstabbing & distrust between commercial parties with open source the conduit. And then the safe win-win of open source
breaks down / is gone. And Trust Arrives on Foot and Leaves on Horseback, So I would not expect this at all. We’ve matured beyond that trap.
What I do expect is the opposite — that some open source communities allow those in their community that place products on the market needing such assessment to collaborate at the open source foundation on exactly that.
And that increasingly we see projects not just shipping source, makefiles, docs and release notes. But also that what is needed for conformity assessments.
Now this may break the business models of some notified bodies — but that is not really an issue for opens source :)
Some open source projects like Content Management Systems (WordPress, Drupal, Joomla) and CiviCRM are generally used in a way that makes each implementation unique due to selection and configuration of plugins, modules and extensions. The
latter cannot run independently. Sometimes these plugins, modules and extensions implement or integrate as their primary function a critical or important category of functionality.
1. So I take it that a) the maintainers of the plugins, modules and extensions would possibly be open source stewards and since they are not putting the functionality on the market would not be subject to the stricter conformity assessments.
2. In some cases the primary purpose of an installation of the CMS is to provide a setup for a category III or IV function. In these cases the implementor is considered a manufacturer. And as they would need stricter conformity assessments,
this would mean the software development practices of the plugin, extension, or module maintainer need to be in conformity, as well as those maintaining the core project.
Did I get this right?
Joe Murray, PhD
President, JMA Consulting
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
|
