Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
Coincidentally I just posted an article about the presumption of conformity:
https://opensource.org/blog/standards-and-the-presumption-of-conformity

On Tue, 10 Dec 2024, 12:50 Jochen Friedrich via open-regulatory-compliance, <open-regulatory-compliance@xxxxxxxxxxx> wrote:
Hi All,

It is in general very important to differentiate between certification, e.g. as done against a standard like ISO 27001, and conformity assessment in the context of the EU New Legislative Framework. For the CRA, we are NOT talking about certification. On the contrary.

Thanks... Jochen


Dr. Jochen Friedrich
Technical Relations Executive
IBM Technical Relations Europe
Phone: +49 160 9694 1964   |   E-Mail: jochen@xxxxxxxxxx 

IBM

IBM Deutschland Research & Development GmbH

Vorsitzender des Aufsichtsrats: Wolfgang Wendt

Geschäftsführung: David Faller

Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294 

From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> on behalf of Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>
Sent: 10 December 2024 12:45 PM
To: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>; Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Subject: [EXTERNAL] Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV
 
Hi Daniel, Notified Bodies is not the same like accredited certification body. The notified body needs to be registered in the EU NANDO database. Notified Bodies do a conformity assessment not only on processes but also on products. Take a look

Hi Daniel,

 

Notified Bodies is not the same like accredited certification body.

 

The notified body needs to be registered in the EU NANDO database. Notified Bodies do a conformity assessment not only on processes but also on products. Take a look at the conformity assessment for cybersecurity of radio equipment, which was published in the OJEU in 2022 and is mandatory as of August 2025 (more that the three CRA-years).

 

Notified Bodies for the Radio Equipment Directive: 69 NoBo throughout Europe

Notified Bodies for the RED Delegated Regulation on cybersecurity: 24 NoBo throughout Europe

Notified Bodies for Module H for RED DR: 5 NoBo throughout Europe

 

Therefore, do not rely on Module H for the CRA – there will not be sufficient resources available in time for manufacturers and in the end this will be much more expensive than to rely on a standard.

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:31
An: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Cc: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

That's not my understanding of what Full Quality Assurance means.



I may be splitting hairs, but my reading here aligns with how the certification of an integrated management system works ala ISO 9001/27001. (Initial audit, annual surveillance). The notified body is no different than any other auditor / certification body.

I would love to read official guidance that suggests that in the CRA case this is different...

Thanks.
Daniel

 

On Tue, Dec 10, 2024 at 12:15PM Steffen Zimmermann <steffen.zimmermann@xxxxxxxx> wrote:

Hi Daniel,

 

That is not correct. Module H means mandatory third-party assessment which costs additional time and money and I don’t know how this will be done for software. Module A is self assessment without the need to go to a Notified Body. See the table below…

 

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

Von: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Gesendet: Dienstag, 10. Dezember 2024 12:10
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxxx>
Betreff: Re: [open-regulatory-compliance] hEN for open source software compliance Annex III and Annex IV

 

Sie erhalten nicht häufig E-Mails von denjell@xxxxxxxxxxxxxx. Erfahren Sie, warum dies wichtig ist

I think that the nuance here is that a "self-assessment" is also possible under Module H - which leverages the manufacturer's internal quality assurance and cybersecurity of the production processes (such as with ISO 9001 && ISO 27001).

 

Cheers,
Daniel

 

On Tue, Dec 10, 2024 at 12:03PM Steffen Zimmermann via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi all,

 

coming from the standardization meeting last week, I have a question to the group.

 

At WG9 of CEN/CLC/JTC13 the work is on the “horizontal standards” of Annex I, based on the official but not yet published standardization request by the European Commission.

The standardization request of the European Commission is also asking for the development of “vertical standards” for PdE listed in Annex III and Annex IV.

This should be of very high concern, because for products in Annex III (and Annex IV) a manufacturer’s self-declaration is only possible when a harmonized standard (hEN) is fully applied by the manufacturer of the PdE – this is of course also applicable to software.

 

That means: If a hEN is not cited in the OJEU in three years, manufacturers need to go to a third party for conformity assessment with the CRA essential requirements.

 

That means: If no one is working on a hEN for a product category of Annex III, it is likely that products in this category will need a third-party assessment. These standards need to be “homegrown” standards developed and published by either CEN/CENELEC or ETSI. ISO/IEC standards cannot be hENs but can get cited. Industry standards cannot get cited because they are outside of the “accepted path”. You can find more information on hEN here: https://boss.cen.eu/developingdeliverables/pages/en/pages/enforojeu/

 

Therefore, do we have an overview of groups working on hEN for (open source) software products in Annex III?

For example, for:

 

  • IAM Solutions, PAM Solutions
  • Browsers
  • Password Managers
  • Antivirus
  • VPN Software
  • SIEM
  • Boot Manager
  • PKI Software
  • Operating Systems
  • Smart Home Virtual Assistants
  • …?

 

Mit den besten Grüßen,

 

Steffen Zimmermann

Industrial Security @ VDMA

 

 

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

PNG image

PNG image

PNG image

Back to the top