|
Hi All,
It is in general very important to differentiate between certification, e.g. as done against a standard like ISO 27001, and conformity assessment in the context of the EU New Legislative Framework. For the CRA, we are NOT talking about certification. On the
contrary.
Thanks... Jochen
Dr. Jochen Friedrich
Technical Relations Executive
IBM Technical Relations Europe
Phone: +49 160 9694 1964 | E-Mail: jochen@xxxxxxxxxx
IBM
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht:
Amtsgericht Stuttgart, HRB 243294
From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Steffen Zimmermann via open-regulatory-compliance
<open-regulatory-compliance@xxxxxxxxxxx>
Sent: 10 December 2024 12:45 PM
To: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
Hi Daniel, Notified Bodies is not the same like accredited certification body. The notified body needs to be registered in the EU NANDO database. Notified Bodies do a conformity assessment not only on processes but also on products. Take a look
Hi Daniel,
Notified Bodies is not the same like accredited certification body.
The notified body needs to be registered in the EU
NANDO database. Notified Bodies do a conformity assessment not only on processes but also on products. Take a look at the conformity assessment for cybersecurity of radio equipment, which was published in the OJEU in 2022 and is mandatory as of August 2025
(more that the three CRA-years).
Notified Bodies for the Radio Equipment Directive: 69 NoBo throughout Europe
Notified Bodies for the RED Delegated Regulation on cybersecurity: 24 NoBo throughout Europe
Notified Bodies for Module H for RED DR: 5 NoBo throughout Europe
Therefore, do not rely on Module H for the CRA – there will not be sufficient resources available in time for manufacturers and in the end this will be much more expensive than to rely on a
standard.
Mit den besten Grüßen,
Steffen Zimmermann
Industrial Security @ VDMA
Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:31
An: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
That's not my understanding of what Full Quality Assurance means.
I may be splitting hairs, but my reading here aligns with how the certification of an integrated management system works ala ISO 9001/27001. (Initial audit, annual surveillance). The notified body is no different than any other auditor / certification body.
I would love to read official guidance that suggests that in the CRA case this is different...
Thanks.
Daniel
Hi Daniel,
That is not correct. Module H means mandatory third-party assessment which costs additional time and money and I don’t know how this will be done for software. Module A is self assessment
without the need to go to a Notified Body. See the table below…
Mit den besten Grüßen,
Steffen Zimmermann
Industrial Security @ VDMA
I think that the nuance here is that a "self-assessment" is also possible under Module H - which leverages the manufacturer's internal quality assurance and cybersecurity of the production processes (such as with ISO 9001 &&
ISO 27001).
Hi all,
coming from the standardization meeting last week, I have a question to the group.
At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.
The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.
This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN) is fully applied
by the manufacturer of the PdE – this is of course also applicable to software.
That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.
That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These standards need to
be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information on hEN here:
https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/
Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?
For example, for:
- IAM Solutions, PAM Solutions
- Browsers
- Password Managers
- Antivirus
- VPN Software
- SIEM
- Boot Manager
- PKI Software
- Operating Systems
- Smart Home Virtual Assistants
- …?
Mit den besten Grüßen,
Steffen Zimmermann
Industrial Security @ VDMA
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
|
