Re: [open-regulatory-compliance] Is there anything outside the scope of

["Idelberger, Florian (IIWR)" <florian.idelberger@xxxxxxx>]

To revive this thread now that I am getting back to it - what kind of line do you want to draw there?

My original question was more supposed to ask - is there even a single example, (that is not already excluded (such as cars or medical devices)), where the connection requirement matters? Is it really just a historic artefact? In most of your cases IMO the delineation would be - if it is offered as SaaS, then it falls under NIS-2 and potentially DSA (but NIS-2 is more comparable to CRA iirc) and everything else is likely covered by the CRA, if the content is covered. The distribution method doesn’t matter much imo. (f.e. whether it is a docker container) Or is there some clause that you think makes the distribution method matter much more? (which I might have overlooked)

-- 
Dr. Florian Idelberger


Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe

E-Mail: florian.idelberger@xxxxxxx

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

Am 02.01.2025 um 12:05 schrieb Daniel Thompson-Yvetot via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx>:

The following has been on my mind the past few months, and I have been point-blank asked several times:

Specifically, where do we draw the line in software distribution / usage method? I have "heard" conflicting perspectives. (i.e. SaaS is to be covered entirely by the DSA, etc.)
 
Here are a few examples (assuming all use network connections above and beyond an updating mechanism)

1. Downloaded DMG / EXE / DEB / AAB / APK / etc. installed on the user's device

2. Webapp loaded and run entirely through a browser

3. The Admin interface for an e.g. wordpress website (is the website itself an app, or just the administrator UI, or neither?)

4. PWA downloaded and run "standalone" as an app with a desktop icon and no "browser-chrome"

5. A REPL in a browser tab

6. SaaS product of any type

7. Discrete tooling to make software, such as a workflow or action in CI/CD
8. A CLI tool like iftop / curl

9. A docker container

n. Others I am probably forgetting.

This is likely to keep coming up, so maybe worthwhile workshopping at FOSDEM.

--
Denjell

On Thu, Jan 2, 2025 at 11:06 AM Ilu via open-regulatory-compliance <open-regulatory-compliance@xxxxxxxxxxx> wrote:

Hi Florian,

I'm also interested in this question. A lot of software does not have a
network connection and if it has one, it could be removed.
The network connection is not mentioned in any way in the EC flowchart
from last FOSDEM. I'm almost convinced that it is a remnant from CRA
history.
How do we treat it legally? PLD, which does not have the network clause,
will indirectly enforce CRA for all software so I don't think it matters
much in practice but it's still weird.
If nobody has any insights we should put this question on the FOSDEM agenda.

Am 28.12.24 um 19:58 schrieb Idelberger, Florian (IIWR) via
open-regulatory-compliance:
> Hey All,
>
> One question I have asked myself but haven’t found a satisfactory answer to yet - are there any products that are exempt by not (directly or indirectly) being used with a network connection? Arguably, the product categories are quite broad, so it seems almost this requirement does not really matter. But then why not extend it to all products, independent if they have a network connection or not? Is this just a product of the CRAs legislative history?
>
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org

_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org