So getting back to Steffen Zimmermann @ VDMA really crisp and clear example. And now having sat in at about half the clarification calls - I think it is fair to say that the question about a (mundane) product that has, within it, things from the Annexes,
keeps coming up.
And, unless my understanding is wrong, it appears that each time, the CRA team focuses in their answer on the product as placed on the market - as opposed to its sub functionality. I.e. on its primary function, its core, etc.
So, as an example, if we have a 15 euro Furby - we’d look at that from an (internet connected) toy or a rain meter in your garden:
<PastedGraphic-5.png>
My understanding from the CRA calls is that we need to evaluate these from a CRA perspective as an Internet connected toy or `just a product not in any of the annexes’ placed on the market.
Which is logical. You buy a firewall or a HSM to improve a key aspect of your cyber resilience posture & there the Annexes count. That does not factor in with a Furby or a Rain Gauge.
So the fact that this 1.28 euro embedded board actually happens to contains a firewall, a network adaptor, something very much akin to a hypervisor on Core0 and an HSM is not important; as it is not a HSM, firewall or network adaptor that is placed on
the market. It is a Furby.
This machine should be taken as a Grinding machine (and assuming there is not some sort of lex specialis directive) - the fact that it happens to contain an OS or HSM does not cause it to be on the annex of the CRA.
Would that be fair ?
Dw
<PastedGraphic-1.png>
Two options - dirk or MH sends it directly; or we make this some sort of collective letter. But the ECs telecoms are quite informal. So I suggest the first rather than the latter.
