Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] More edge cases 
See my comments inline below.
> 
>> Is that because BigCo only sells their product to consumers for personal purposes or what? Say the customer is an ISP or domain hoster which sells web hosting on the side, aren't they supposed to be responsible for their webserver software? And if they ask BigCo to configure it for them, does it really matter whether BigCo delivers the binaries or just uses a public distribution?
> 
> Yes - but that ISP places a product in the (European) market as well.
> 
>> At $dayjob-1 we had a vendor which sold us a giant monolith web service shipped for RHEL only, with tomcat and a bunch of dependencies vendored in. They required specific OS versions, configured all the dependencies, delivered everything in giant tarballs. Surely they're responsible for the tomcat upgrades as part of the overall product. I sure hope that doesn't change if they decide to stop vendoring the dependencies and, say, install a pinned version from the RHEL repos.
> 
> 
> So if, in your example, BigCo has placed a product on the European market, e.g a webserver (even if it BigCo HTTP sever powered by Apache) and that ISP has bought that product and supplies something to its customer (e.g. a web-farm with low cost webpages for small companies) and puts that on the European market. Then IMHO both are under the CRA.
> 

Are you sure about that, where would you draw the line to services? I cannot give references atm, but I would have thought that such a service would be excluded under CRA. They are ofc still responsible, but I would have intuitively said under NIS2 or sth and not CRA.


> If BigCo is BigConsulting - and they rent people out by the hour that ISP hires & where the ISP directs them to download & tweak the apache httpsd server and set it up — then BigConsulting is IMHO not under the CRA. ISP still is.
> 
> Now an ISP is a bad example as the arguably has some sort of exertise/knowldge.
> 
> So let’s say your ISP is not an ISP but a Marketing/digital-brand agency that sells websites to small companies ‘all in’ (ie. Nice looking web page and 5 years of ‘free’ hosting).
> 
> The case law will probably begin if BigCo sort of has a BigConsulting contract with the Marketing company where BigCo staff follow some BigCo developed process/script that fetches apache-https, installs it and configures it. So essentially it is a `product’ in all but the name. I would expect the courts to push back on this - and place it under the CRA — or see a CRA-II after the evaluation period that ‘fixes’ this. For the simple reason that the Marketing company gets it as a `product’.
> 
> Dw
> 
> _______________________________________________
> open-regulatory-compliance mailing list
> open-regulatory-compliance@xxxxxxxxxxx
> To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top