Re: [open-regulatory-compliance] Does being categorized as Important or

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

From: "Idelberger, Florian (IIWR)" <florian.idelberger@xxxxxxx>
Date: Mon, 1 Jul 2024 13:57:17 +0000
Accept-language: de-DE, en-US
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHayw3R6rGSgulPCE2gZD4UQysmK7HgZtyAgAAPqwCAABn+AIAAK9GAgACgU4CAAAs1gIAADFEAgABErQCAAAnrAIAAArSA
Thread-topic: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

I think the same thing still applies. (Not legal advice)

The end product likely matters most, the parts less so. Especially if they’re one off / customized, where you might even be able to argue that they are not really „on the market“ as a fixed product. (But not sure about that)

--
Dr. Florian Idelberger

Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe

E-Mail: florian.idelberger@xxxxxxx

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

Am 01.07.2024 um 15:47 schrieb Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:

Dear all,

sorry for my very special view on machinery, which is b2b. That grinding machines I have in mind look like these. These are more or less “systems of systems”, having linux, windows, sensors, actuators, ethernet, opc ua, mqtt, REST-API, you name it.

Build by developers maybe as a tailor-made product but based on a lot of (OSS) components from hundreds of suppliers.

<image001.jpg>

Source: https://www.grinding.ch/en/united-grinding/

Mit den besten Grüßen,

Steffen Zimmermann

Industrial Security @ VDMA

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> Im Auftrag von Dirk-Willem van Gulik via open-regulatory-compliance
Gesendet: Montag, 1. Juli 2024 15:12
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

So getting back to Steffen Zimmermann @ VDMA really crisp and clear example. And now having sat in at about half the clarification calls - I think it is fair to say that the question about a (mundane) product that has, within it, things from the Annexes, keeps coming up.

And, unless my understanding is wrong, it appears that each time, the CRA team focuses in their answer on the product as placed on the market - as opposed to its sub functionality. I.e. on its primary function, its core, etc.

So, as an example, if we have a 15 euro Furby - we’d look at that from an (internet connected) toy or a rain meter in your garden:

<image002.png>

My understanding from the CRA calls is that we need to evaluate these from a CRA perspective as an Internet connected toy or `just a product not in any of the annexes’ placed on the market.

Which is logical. You buy a firewall or a HSM to improve a key aspect of your cyber resilience posture & there the Annexes count. That does not factor in with a Furby or a Rain Gauge.

So the fact that this 1.28 euro embedded board actually happens to contains a firewall, a network adaptor, something very much akin to a hypervisor on Core0 and an HSM is not important; as it is not a HSM, firewall or network adaptor that is placed on the market. It is a Furby.

Or at least that seems to be what is said time and time again on these calls. So if we have a dead normal surface grinder (such as the one here at our shared workshop ( https://wiki.makerspaceleiden.nl/mediawiki/index.php/Vlakslijpmachine_/_Surface_Grinder) my take is that below depiction by VDMA is not quite correct.

This machine should be taken as a Grinding machine (and assuming there is not some sort of lex specialis directive) - the fact that it happens to contain an OS or HSM does not cause it to be on the annex of the CRA.

Would that be fair ?

Dw

<image003.png>

Two options - dirk or MH sends it directly; or we make this some sort of collective letter. But the ECs telecoms are quite informal. So I suggest the first rather than the latter.

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

References:

Breadcrumbs