On 8 Jul 2024, at 10:43, Idelberger, Florian (IIWR) via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:
See my comments inline below.
Is that because BigCo only sells their product to consumers for personal purposes or what? Say the customer is an ISP or domain hoster which sells web hosting on the side, aren't they supposed to be responsible for their webserver software? And if they ask BigCo to configure it for them, does it really matter whether BigCo delivers the binaries or just uses a public distribution?
Yes - but that ISP places a product in the (European) market as well.
At $dayjob-1 we had a vendor which sold us a giant monolith web service shipped for RHEL only, with tomcat and a bunch of dependencies vendored in. They required specific OS versions, configured all the dependencies, delivered everything in giant tarballs. Surely they're responsible for the tomcat upgrades as part of the overall product. I sure hope that doesn't change if they decide to stop vendoring the dependencies and, say, install a pinned version from the RHEL repos.
So if, in your example, BigCo has placed a product on the European market, e.g a webserver (even if it BigCo HTTP sever powered by Apache) and that ISP has bought that product and supplies something to its customer (e.g. a web-farm with low cost webpages for small companies) and puts that on the European market. Then IMHO both are under the CRA.
Are you sure about that, where would you draw the line to services?
I'll leave that to more expert people to expand on. And that was not what i intended with the example.
So lets say that ISP and Marketing company in the example both sold some physical mini-server that was placed on premise a the customer. So we are for sure in the CRA.
If BigCo is BigConsulting - and they rent people out by the hour that ISP hires & where the ISP directs them to download & tweak the apache httpsd server and set it up — then BigConsulting is IMHO not under the CRA. ISP still is.
Now an ISP is a bad example as the arguably has some sort of exertise/knowldge.
So let’s say your ISP is not an ISP but a Marketing/digital-brand agency that sells websites to small companies ‘all in’ (ie. Nice looking web page and 5 years of ‘free’ hosting).
The case law will probably begin if BigCo sort of has a BigConsulting contract with the Marketing company where BigCo staff follow some BigCo developed process/script that fetches apache-https, installs it and configures it. So essentially it is a `product’ in all but the name. I would expect the courts to push back on this - and place it under the CRA — or see a CRA-II after the evaluation period that ‘fixes’ this. For the simple reason that the Marketing company gets it as a `product’.
Dw
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org
_______________________________________________open-regulatory-compliance mailing listopen-regulatory-compliance@xxxxxxxxxxxTo unsubscribe from this list, visit https://accounts.eclipse.org
|
