Hi all,
coming from the standardization meeting last week, I have a question to the group.
At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.
The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.
This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN)
is fully applied by the manufacturer of the PdE – this is of course also applicable to software.
That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.
That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These
standards need to be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information
on hEN here:
https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/
Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?
For example, for:
- IAM Solutions, PAM Solutions
- Browsers
- Password Managers
- Antivirus
- VPN Software
- SIEM
- Boot Manager
- PKI Software
- Operating Systems
- Smart Home Virtual Assistants
- …?
Mit den besten Grüßen,
Steffen Zimmermann
Industrial Security @ VDMA
