Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
That's not my understanding of what Full Quality Assurance means.

image.png

I may be splitting hairs, but my reading here aligns with how the certification of an integrated management system works ala ISO 9001/27001. (Initial audit, annual surveillance). The notified body is no different than any other auditor / certification body.

I would love to read official guidance that suggests that in the CRA case this is different...

Thanks.
Daniel

On Tue, Dec 10, 2024 at 12:15 PM Steffen Zimmermann <steffen.zimmermann@xxxxxxxx> wrote:

Hi Daniel,

 

That is not correct. Module H means mandatory third-party assessment which costs additional time and money and I don’t know how this will be done for software. Module A is self assessment without the need to go to a Notified Body. See the table below…

 

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:10
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

I think that the nuance here is that a "self-assessment" is also possible under Module H - which leverages the manufacturer's internal quality assurance and cybersecurity of the production processes (such as with ISO 9001 && ISO 27001).

 

Cheers,
Daniel

 

On Tue, Dec 10, 2024 at 12:03PM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

 

coming from the standardization meeting last week, I have a question to the group.

 

At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.

The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.

This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN) is fully applied by the manufacturer of the PdE – this is of course also applicable to software.

 

That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.

 

That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These standards need to be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information on hEN here: https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/

 

Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?

For example, for:

 

  • IAM Solutions, PAM Solutions
  • Browsers
  • Password Managers
  • Antivirus
  • VPN Software
  • SIEM
  • Boot Manager
  • PKI Software
  • Operating Systems
  • Smart Home Virtual Assistants
  • …?

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top