Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
  • From: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
  • Date: Tue, 10 Dec 2024 11:45:29 +0000
  • Accept-language: de-DE, en-US
  • Arc-authentication-results: i=3; mx.microsoft.com 1; spf=pass (sender ip is 52.17.62.50) smtp.rcpttodomain=crabnebula.dev smtp.mailfrom=vdma.org; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=vdma.org; dkim=pass (signature was verified) header.d=vdma.org; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=vdma.org] dkim=[1,1,header.d=vdma.org] dmarc=[1,1,header.from=vdma.org])
  • Arc-authentication-results: i=2; mx.avanan.net; arc=pass; dkim=none header.d=none
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vdma.org; dmarc=pass action=none header.from=vdma.org; dkim=pass header.d=vdma.org; arc=none
  • Arc-message-signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hS/I6r9OhIchgDL/oapdJStpuPIQrUSET9UHctAszNw=; b=pmTM907ZjL/uunDXrzCMdh1D5PFA3Q250psb7aH7pJ/dAyHuMZLKrr0FD8jnH2JOqKDTSa6mUsqnmjGOzlrJVpVfm3cuoN8cUPVBVKrRrX1DMXNZnQfDh0oY/jzEnTjB458tttOuwHECPYeOs9D59y0EIsIXWmX7L6GOMV+oCbgU66GY/Zp9Udv0idgu3TVfIftEjpC2UWVBOxB+J1ALu0l0f4otp+xIkbwZ6CBLeiux2LFvH6vUaouvba6xbLho0r/aWh0Mt0ggGJXPP1RbXFLOOdyi+ArqJRWrvWqaAxfemoiOJC6caAKJZv6kaLTR8ZUc6w7Hinnivy/Y/ufXdg==
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=avanan.net; s=arcselector01; t=1733831142; h=from : to : subject : date : message-id : content-type : mime-version; bh=hS/I6r9OhIchgDL/oapdJStpuPIQrUSET9UHctAszNw=; b=rGVdfxDR4v+xy1apwFrt18I0Jzi8eTupWgkj4mHEFD4JFWHb+yL3mWvEmPah2iQdWZ781 ZLVR7wz8OqYtY6d86SjQwxfdlp0SyqG1jLRA02VQ5wCJEGa0rf8Qqso499lNXlJtI4u/wt2 fjINCXWR0l4NlJmzU3G9zIXINUy16Ds=
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hS/I6r9OhIchgDL/oapdJStpuPIQrUSET9UHctAszNw=; b=HIA6JQ7gw5eBBvyYaSj/WAW+IA0AKMD3MvLtMxwRaHW0TUCXUx95DFFs610jx0cEe0HWojkrE4zGeaOn8K4Jfm3hB5Pc37fVbJz/HeR4VAWsvn3a7t4OzPffaWxKPU6Nox0gQb/rDaa6vOhkBD9opzKuNHhXpGETXDW4EeOSZsbsS9Yo1r5wba+XRApHjT9YqGC8X5m9tuR3nEyhIB22CM55S58B46KEXK09xBcM1bGTOWMRANdKhFCjDRKGzejmRxn574UkgX0aAlfjdjpO+K3TvYSoIg3o6vm67s5EnYO8rGS/kKILHspLHjYDafy33TBLBX1Iogfh9K7cxF4gTA==
  • Arc-seal: i=3; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=Oh/Q7y54cJtE1TlqG2sHLCeGL9UAGdg1w6zOaXmiZHDiwKeSmbfY8UmosSVSwH/y4aOpSxNbF7ERS3FfMzC+C4xx+4AKbrwTgcXpWnD6yx/zQkBZkZ5uAGoeOmBpkI31x7xbiwekgKut0T89T1vYXTV3SZK6Vq+8dltme/hqnhwek+vzDnTh6CDiat0SDwAIIf68nFr+bHCe+FGMDw/8fYtChh4li6WJDP5AtkUIb7n4jYE0rWlT3ryeNS6lJeKkdbyE7SxYLQJW7XxrdZek8YBoKlnfcTVgKl+75hoAgIoM/YaOhUpGveXN3y7iGMqCK7JAImilaQpW60hPI5afOw==
  • Arc-seal: i=2; cv=pass; a=rsa-sha256; d=avanan.net; s=arcselector01; t=1733831142; b=rn46e0KqMSuJwhHAlQvQZkZq+kmoyGW0JH4M3vOakkCtgmjOxrbOzMC9USDbDrDj8ilIS vGRv8QW7J8GTIkG/M8Kx/ziO3WcWBXXnl/ErlNpeiD7y9L8GXIyIxQt7UMgQ8xm1kMPYRGj h3HhBCBG+qpA9KHFfSZy4mmmIsl9bxE=
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=VeDZvEC0Q3J4LWluoTG3KvfZw3VGY5bqUK7qammFNC7/sjGg+JKe6d4aaz1F8xVcb4myxWBvUjmiCKtv+Mpm4Ha02B2HzkDAREqzUj5ct6+xKiHepGOHpOOdQK8f1dbaq8jI1K1GsOrQpiyAAuYT9I7Xh5ihPJwzQtGhC8xm4DxzG02I+gnaf9R3/6ATkJ/Bbervw2mzN0O9H4ohU1/g/QI4A5IjdjeUozG5FctUF/QshArDCuTWncTiIf96klBKT+ps+AIGbvsSXnLdyE8FRkeSYlwUQDgmWPH5FL6kwold5WHBbcu/SB3sfXZYP3qkY/cpxmAaOSg+qr3hkuweBA==
  • Delivered-to: open-regulatory-compliance@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/open-regulatory-compliance/>
  • List-help: <mailto:open-regulatory-compliance-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/open-regulatory-compliance>, <mailto:open-regulatory-compliance-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHbSvLtBuT8zq6kjEKwMRsqKxiGG7LfUkyAgAAAP0CAAAWCgIAAAJHA
  • Thread-topic: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

Hi Daniel,

 

Notified Bodies is not the same like accredited certification body.

 

The notified body needs to be registered in the EU NANDO database. Notified Bodies do a conformity assessment not only on processes but also on products. Take a look at the conformity assessment for cybersecurity of radio equipment, which was published in the OJEU in 2022 and is mandatory as of August 2025 (more that the three CRA-years).

 

Notified Bodies for the Radio Equipment Directive: 69 NoBo throughout Europe

Notified Bodies for the RED Delegated Regulation on cybersecurity: 24 NoBo throughout Europe

Notified Bodies for Module H for RED DR: 5 NoBo throughout Europe

 

Therefore, do not rely on Module H for the CRA – there will not be sufficient resources available in time for manufacturers and in the end this will be much more expensive than to rely on a standard.

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:31
An: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

That's not my understanding of what Full Quality Assurance means.



I may be splitting hairs, but my reading here aligns with how the certification of an integrated management system works ala ISO 9001/27001. (Initial audit, annual surveillance). The notified body is no different than any other auditor / certification body.

I would love to read official guidance that suggests that in the CRA case this is different...

Thanks.
Daniel

 

On Tue, Dec 10, 2024 at 12:15PM Steffen Zimmermann <steffen.zimmermann@xxxxxxxx> wrote:

Hi Daniel,

 

That is not correct. Module H means mandatory third-party assessment which costs additional time and money and I don’t know how this will be done for software. Module A is self assessment without the need to go to a Notified Body. See the table below…

 

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:10
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

I think that the nuance here is that a "self-assessment" is also possible under Module H - which leverages the manufacturer's internal quality assurance and cybersecurity of the production processes (such as with ISO 9001 && ISO 27001).

 

Cheers,
Daniel

 

On Tue, Dec 10, 2024 at 12:03PM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

 

coming from the standardization meeting last week, I have a question to the group.

 

At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.

The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.

This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN) is fully applied by the manufacturer of the PdE – this is of course also applicable to software.

 

That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.

 

That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These standards need to be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information on hEN here: https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/

 

Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?

For example, for:

 

  • IAM Solutions, PAM Solutions
  • Browsers
  • Password Managers
  • Antivirus
  • VPN Software
  • SIEM
  • Boot Manager
  • PKI Software
  • Operating Systems
  • Smart Home Virtual Assistants
  • …?

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

Back to the top