I have a slightly different understanding.
The manufacturer is responsible for the security of their product, including any third party components they include, regardless of how those components are licensed.
That's also my understanding from the webinar session with Benjamin.
HOW the manufacturer determines that their entire product is secure, up to the standard required for their category, is not completely prescribed by the CRA.
That's my understanding too. Though the harmonized standards will create a presumption of conformity, so there's a prescribed way to get a presumption of conformity.
An Attestation as to the security of an OSS project is ONE WAY a manufacturer can demonstrate that they performed appropriate due diligence.
A third party audit could be another way.
Questions I have here are:
- would the output of a third party audit be an Attestation?
Article 25 allows it.
- would this Attestation conform to some standard?
That's to be defined by the related delegated acts that the Commission is empowered to author.
- if an Open Source Steward offers an Attestation, what obligations does a third party auditor have to consult with the Steward and/or conform to the Steward's Attestation?
I don't think there's any obligation of that nature in the CRA.
Of course I'm very interested in others' thoughts. Perhaps the answers are understood.
Separately: should we start collecting these questions and answers in an FAQ?
--tobie
