Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
  • From: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
  • Date: Tue, 10 Dec 2024 11:15:32 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=crabnebula.dev smtp.mailfrom=vdma.org; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=vdma.org; dkim=pass (signature was verified) header.d=vdma.org; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.org] dkim=[1,1,header.d=vdma.org] dmarc=[1,1,header.from=vdma.org])
  • Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.org; dmarc=pass action=none header.from=vdma.org; dkim=pass header.d=vdma.org; arc=none
  • Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cWYc/7iG7EhHZ0b4qbm02weORi8LHUbcD91H7WFOJeI=; b=tDMe+/qKA/zHIk1KepxHpVek682+X96yi4+ft3CdNsuHFGKlP8TpByDlVIvn+WNoyIQrPg7phptW1KuyXJmhwAx5eM5LztRChQoEicysUXeRht/SSkL8hSwSYUPbqi2mwMso/C7PyK2QpggFDlyWgX9H270RGGBNwtHlJkGSLnN5KpfB49uBQqEiuopwkIUB2AIFQQkKTWkxVk3IgMgZ5mMlDLjC3o06NmEk0FbGzpbpxpWio/OtHqLTJwJ6+RY37NkU7tASkuoI/SxoC9v2vCC0yxT6cq50G0Dgn46m1xCwQ4xhBmfiAUo3tXpIueIoGsnWWpSXU6e2zuwth5rnWw==
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1733829345; h=from : to : subject : date : message-id : content-type : mime-version; bh=cWYc/7iG7EhHZ0b4qbm02weORi8LHUbcD91H7WFOJeI=; b=YXlu2ohTTVoNmXwppvlzryfmISQOjlPdtz24Tx6jcYawL2M3OYwlCFP8dYSiHhqY6Sh5h 2oDgzI/bp+ytzW6jAnVjhauQnNlGxO5HAssyzSp0r0mdxSxFb2DWSaJoN0tFcCD1qRd5ueQ u5EN03FcCHRVsaS1/ghPk7947HJNYFA=
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cWYc/7iG7EhHZ0b4qbm02weORi8LHUbcD91H7WFOJeI=; b=bAlGWVNfuYCDsSfJIEV0Sr1FJPoy0SfHreunHHbQYgEvlc+4nvhwmjubF04Fyxs9etvsW0iH+RtOOzLGu+13SVInKH5ydienVdFarNczCbRcaacMeCry6vS7reg/MlUcxka9wuHrJL+Wu8JULuxDTYp6eWKkX44iaUc1TAdADWOfpBS8h05NAuomgGRqANz42HQqeKETnegJjOMfk/cyQw9RDEMI9clsgM9m7iTdICQHlnrS37n+9kriGabiR1hpmGgvRrRwZZp2BhYghVOqgxyztid2RZqD9Q5NEiH6pdWVo1YeGqbZrYxoqJJq4V6GaBKrmbAgOTj2ec6XysKe+Q==
  • Arc-seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=x2YLvVOEiWNyJnO4Q5fO3WvHckBjRWlRfcj23XlBBk4n4WATqo25CKbuxaUBnvaL4ttHTFqL/0d8lMuZxA/6VgwOuMCo58rmdZhZXcbQ7l36bTPqFr9g5Oc3GxNPXREakNO3/OiwJYXdC+bX/NyM0r9ly91oLMQ20RSPq0DvXj7+7GBenKVA6+iciEkg0xlZBAW5O+Y/2mEHoQOZg12ZIVQPZpPWcRogN7wQEGoxH5Qre31p9XWwLsLdMsO6UlulwhhP5XNrwKJ0qxlb6ADFAxVL5iaIsalXen7RzxsJzuuh/+1UDhrF8WAa9JpVytDm/UxIMJl2U5nyvR+cNEqs4Q==
  • Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1733829345; b=P5/TJbZiaMtT3PzzXiRI//fsYLyAOB4Hnp7fXA2R4KKHfAhWP+7koy3/Ye6wZnqq+v6df xA/k9lfDR9iThMYuNQwOmhbLFl9IVK8VMyXAHqjTEXmr5mKwTWTAyNhWDf0mnqXxboBrW3l Pt5jL+q//agZoC3cig2BTOb6uIY1ZhM=
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=vjR8I5UFXRjlT6vgEvuWUB8goFupRNK+AZ5iyyxzuvIG9vdKcB2frbwEp+L9zELCa1QsVo6fYvFy0MReYG1G4z6s6Rhdqqq/ZSSOK8lozBUlVLwCDlnzHyezvRKEo2REs8ZTq+yGYpCEmnFXbUBkMWxw6M61xQVlNYPrbAQNJXJAfm+hZj24cWu8EKdkXTqdBvJ1Kom85INI2MArG/s9Mt/aboVX2vAC5fYktiq6/0wAzbg43GTOPxCPV/9mKUufKt849nvgeuk78+rQsYSu3Iaf/f4wLbrBWa29rB6qbOpK1IDUTAW/pd4Pd4Wi1fGIoGAvDIE+U2kg8pR8n4UO5Q==
  • Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
  • List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHbSvLtBuT8zq6kjEKwMRsqKxiGG7LfUkyAgAAAP0A=
  • Thread-topic: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

Hi Daniel,

 

That is not correct. Module H means mandatory third-party assessment which costs additional time and money and I don’t know how this will be done for software. Module A is self assessment without the need to go to a Notified Body. See the table below…

 

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:10
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

I think that the nuance here is that a "self-assessment" is also possible under Module H - which leverages the manufacturer's internal quality assurance and cybersecurity of the production processes (such as with ISO 9001 && ISO 27001).

 

Cheers,
Daniel

 

On Tue, Dec 10, 2024 at 12:03PM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

 

coming from the standardization meeting last week, I have a question to the group.

 

At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.

The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.

This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN) is fully applied by the manufacturer of the PdE – this is of course also applicable to software.

 

That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.

 

That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These standards need to be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information on hEN here: https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/

 

Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?

For example, for:

 

  • IAM Solutions, PAM Solutions
  • Browsers
  • Password Managers
  • Antivirus
  • VPN Software
  • SIEM
  • Boot Manager
  • PKI Software
  • Operating Systems
  • Smart Home Virtual Assistants
  • …?

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top