Re: [open-regulatory-compliance] Does being categorized as Important or

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

From: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Date: Mon, 1 Jul 2024 13:47:26 +0000
Accept-language: de-DE, en-US
Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=eclipse.org smtp.mailfrom=vdma.org; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=vdma.org; dkim=pass (signature was verified) header.d=vdma.org; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.org] dkim=[1,1,header.d=vdma.org] dmarc=[1,1,header.from=vdma.org])
Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.org; dmarc=pass action=none header.from=vdma.org; dkim=pass header.d=vdma.org; arc=none
Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N9MiZ/lMZsuYjlM1fMOhzlXBo1tt+2jCpo7UWtW1dS0=; b=lpqHWJowe4HEvvulzo2GCaOxvEb7kg3dSjiBvT7/6hO2cHmFAUolOvi1IOLXolkx/advlIAqA2/8vdsierH7AANG+OfLkGBr3Zj+7QqcQnBvvMhZgvhFE2oPpRghoS7M0jTTIP4QN2K+jROGD+6WsyTnzwIo5E8srvR8/4xkGeczrY1bcOvi2ZfamZrBCZkSVXf6Q50R14glpGfgQ3DfIhG9FYtoilrRWcWCm3zjQ3AzRnlSan3w7oX2Owbf7AXbQCvKc5SatwV4rMV9N9HERXNKtzju55fy+kkJAM1vUOvvQWo+EnHJOs83pEdAM3nrje/ZGv3UG0DQrFX5USH2gg==
Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1719841661; h=from : to : subject : date : message-id : content-type : mime-version; bh=N9MiZ/lMZsuYjlM1fMOhzlXBo1tt+2jCpo7UWtW1dS0=; b=QtSWPG0YLb6t06cvCfeSXnWF2iiqPJQIoXHxD+qfXcMqnfMXVVTcaHRDD033+ezZBdX7P SdhSQJy5ZnPNpUNxDwwa25w21VxNzb5c8G7nNTlGvKPK9wuU3IzEk9P0ZnQEV++P1Ks7Dyu H+fN6mij0tZSe1oH4TBawdoAaBo+Q2g=
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N9MiZ/lMZsuYjlM1fMOhzlXBo1tt+2jCpo7UWtW1dS0=; b=H9WwOmxBaG6x0wVxufnb0cLlzC6mAhF45txTDDEtl3r0IRFxBg4CM3QwIJc0rHNlMAZi7m36oGfxmhF2FaQgtCp+MXwgBWLZhXVqZbVM4DRz0uMbWt7GNBVD3vzXaeCfourqW7DK30V/1JXG0lejQWDv0zDxMAwB7oQaodlHYhkjJwqRzMibG7eO+0QaQopXM6meY+gNcgBxQiNH1sIOR3xwfkEUpFqyS5MhnNOG3vCK/gorQFn19Ulh/ynd8qg0cOJYrj779apmao6iqGxd/2WQqf15N9pvZSUORdosjlFqZQWav+dq2wYVMTjJSUkkH9Fu9uJomNUhRQmRKIMiBQ==
Arc-seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass; b=CtcflZgrpbiYvMEZRi9nO3C5GPaklJZhxJ4SKpVywnUzwjfGJuB0fYONK6MZPVoLmk3HYkARgZtrm3Q9pFAQHPf9g+ypBeem+XKAWU4C+nfFu3cCwzMW0KOGcRBK7KfdaoZVbW0B+Em8a7Fm5woxJ8DFZfSPvgjV2SxeuQC1cpVi+3PaqcZGGXNe6rugv5s8T2Vb0HMlU0+TzYyDosLWzRqTWve1k4MqgT5NSXh0ASxqiRbXtxqmOiqP63buYu8w+wdGjeGQVfQwx8x7aKB5erCkNYtZeYY/plwrIq9oQJLWCXNhsP5i+F0uFviCI0AVK+2So+A354gsoyDEvKn8EA==
Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1719841661; b=YB2McJOTnGiwV1+4JH8Awilz/oCy9f555UN/GDsft0kMEGHOXFv091s5iFj7ON0z6D7fb t0homQZJ7RNYBaYq+sLAdApyyC5vOVWMcFB1nGGZNv+9VtX/xrSZ9k/ALrHr881HzgJ+vs0 jMIu4h+X+O2hdmsiYllnKkI3SmIg9bY=
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=n4X7Da/PEUf0Hd8nadUW3CuHcIWr+ZKxShXW49oJ66EuZPs2sUb4B+DLFRjUkjf++x6Ob56k+S6APn+FOM8nH2IVTH+dvo60upqtrNIebeYRVE0MxOuCtb5klNSFdO8i4KZYGQ25MQCkfJkxouESN/5JRaismRHES/3mMArDhshe4NpWi+ooa9jPn5o5vVEYa+ePQ8ncWu1//HU/GlhaDWAjTfs7awATCltn7cJlq/tQlppktBySWyOqfF+TfdvVFqnSbZPRmxIHqOVyf+oMANP+vfYHWYYbtMHZQnIlyLsBaqOVRmmoiO/1yuqmUrWecrCTKiSwvdnFr4JoeJFzmg==
Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHayw3RDrgBXyy2gEWKPnkRp+IN9bHgiGOAgAAPqwCAABn+AIAAK9GAgACgVICAAAfxgIAAD5QAgABErQCAAAiCkA==
Thread-topic: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

Dear all,

sorry for my very special view on machinery, which is b2b. That grinding machines I have in mind look like these. These are more or less “systems of systems”, having linux, windows, sensors, actuators, ethernet, opc ua, mqtt, REST-API, you name it.

Build by developers maybe as a tailor-made product but based on a lot of (OSS) components from hundreds of suppliers.

Ein Bild, das Handy, Design enthält.

Automatisch generierte Beschreibung

Source: https://www.grinding.ch/en/united-grinding/

Mit den besten Grüßen,

Steffen Zimmermann

Industrial Security @ VDMA

Von: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> Im Auftrag von Dirk-Willem van Gulik via open-regulatory-compliance
Gesendet: Montag, 1. Juli 2024 15:12
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Dirk-Willem van Gulik <dirkx@xxxxxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] Does being categorized as Important or Critical product impact FOSS dependencies (Was: European Commission informal CRA consultations on the definition of Critical and Important products)

So getting back to Steffen Zimmermann @ VDMA really crisp and clear example. And now having sat in at about half the clarification calls - I think it is fair to say that the question about a (mundane) product that has, within it, things from the Annexes, keeps coming up.

And, unless my understanding is wrong, it appears that each time, the CRA team focuses in their answer on the product as placed on the market - as opposed to its sub functionality. I.e. on its primary function, its core, etc.

So, as an example, if we have a 15 euro Furby - we’d look at that from an (internet connected) toy or a rain meter in your garden:

My understanding from the CRA calls is that we need to evaluate these from a CRA perspective as an Internet connected toy or `just a product not in any of the annexes’ placed on the market.

Which is logical. You buy a firewall or a HSM to improve a key aspect of your cyber resilience posture & there the Annexes count. That does not factor in with a Furby or a Rain Gauge.

So the fact that this 1.28 euro embedded board actually happens to contains a firewall, a network adaptor, something very much akin to a hypervisor on Core0 and an HSM is not important; as it is not a HSM, firewall or network adaptor that is placed on the market. It is a Furby.

Or at least that seems to be what is said time and time again on these calls. So if we have a dead normal surface grinder (such as the one here at our shared workshop ( https://wiki.makerspaceleiden.nl/mediawiki/index.php/Vlakslijpmachine_/_Surface_Grinder) my take is that below depiction by VDMA is not quite correct.

This machine should be taken as a Grinding machine (and assuming there is not some sort of lex specialis directive) - the fact that it happens to contain an OS or HSM does not cause it to be on the annex of the CRA.

Would that be fair ?

Two options - dirk or MH sends it directly; or we make this some sort of collective letter. But the ECs telecoms are quite informal. So I suggest the first rather than the latter.

Follow-Ups:

References:

Breadcrumbs