Re: [open-regulatory-compliance] Does being categorized as Important or

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

From: Joe Murray <joe.murray@xxxxxxxxxxxxxxxxx>
Date: Wed, 3 Jul 2024 18:30:01 -0400
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>

Many thanks, fukami !

Joe Murray, PhD (he/him)
President, JMA Consulting
416.466.1281

We respectfully acknowledge the autonomy of Indigenous peoples, and that JMA Consulting is located on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples which is now home to many diverse First Nations, Inuit and Métis peoples. We also acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit.

On Wed, Jul 3, 2024 at 6:10 PM fukami <chorchert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi!

> On 3 Jul 2024, at 22:29, Joe Murray via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
> https://www.european-cyber-resilience-act.com/Cyber_Resilience_Act_Annex_3.html),

Legislation is not so different from software, please use the most current version from a trusted source for reference, not some outdated info from an untrusted third-party site: https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html

> As I look more closely, I see the CRA only covers products. Are there products that are purely digital? Digital services are sometimes covered by NIS 2 if they are purchased by important or essential entities (https://ec.europa.eu/commission/presscorner/detail/en/QANDA_22_5375), and it entails equivalent obligations.

The FAQ was done before 3/2023, it doesn’t fully reflect the changes (see the text in bold from the link above). The CRA covers products with digital elements and their remote data processing.

> I'm unclear on whether individuals contributing to the relevant software modules will be protected or liable in some way.

Contributors to open source are not liable in any form, they simply don’t exist as a market actor.

> In the Drupal ecosystem, there is a Drupal Association that as I understand it may be a candidate for Open Source Steward.

I started to see this a bit as a “I’ve hammer now I search for a nail” type of statement, stewards are a possible solution for some corner cases which are difficult to handle with the default market rules, or where the market demands an actor with this special property. You don’t need to have a steward to develop and maintain open source software.

> https://www.drupal.org/project/simple_oauth or https://www.drupal.org/project/auth0

These are not brought to the market as products. The CRA doesn’t apply, you don’t need a steward.

Cheers,
fukami

References:

Breadcrumbs