|
Hi Tobie,
of course :) I don’t mind opening GitHub issues, I am just not sure if I properly have teased out all of them.
Sth. like:
* Is the reference to a connection requirement / network clause in the CRA still relevant or only a historical artefact?
* Does the method of delivery (web app, desktop app, package manager) matter for the analysis if or how the CRA applies?
though to my mind the more interesting points are probably, as raised by others, what kind of „infrastructure“ or professionalism is enough to trigger application. Naively I thought it would need some sort of commercial exploitation (if indirectly) but
others here seem to have suggested that that is not the case.
--
Dr. Florian Idelberger
Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe
E-Mail: florian.idelberger@xxxxxxx
KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
Am 23.01.2025 um 13:22 schrieb Tobie Langel <tobie@xxxxxxxxxxxxxx>:
Hi Florian,
Thanks for reviving this thread!
I think it would be very beneficial to tease out the questions raised here and split them up into separate questions for our FAQ[1]. Ideally, by opening a new Github issue[2] for each question. Alternatively, by providing them as a list in one email on
the list that I would then split up into GitHub issues myself.
Is this something you would be willing to help with? Please let me know.
--tobie
---
To revive this thread now that I am getting back to it - what kind of line do you want to draw there?
My original question was more supposed to ask - is there even a single example, (that is not already excluded (such as cars or medical devices)), where the connection requirement matters? Is it really just a historic artefact? In most of your cases IMO
the delineation would be - if it is offered as SaaS, then it falls under NIS-2 and potentially DSA (but NIS-2 is more comparable to CRA iirc) and everything else is likely covered by the CRA, if the content is covered. The distribution method doesn’t matter
much imo. (f.e. whether it is a docker container) Or is there some clause that you think makes the distribution method matter much more? (which I might have overlooked)
--
Dr. Florian Idelberger
Karlsruher Institut für Technologie (KIT)
Zentrum für Angewandte Rechtswissenschaft (ZAR)
Institut für Informations- und Wirtschaftsrecht
Vincenz-Prießnitz-Str. 3, D-76131 Karlsruhe
E-Mail: florian.idelberger@xxxxxxx
KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft
The following has been on my mind the past few months, and I have been point-blank asked several times:
Specifically, where do we draw the line in software distribution / usage method? I have "heard" conflicting perspectives. (i.e. SaaS is to be covered entirely by the DSA, etc.)
Here are a few examples (assuming all use network connections above and beyond an updating mechanism)
1. Downloaded DMG / EXE / DEB / AAB / APK / etc. installed on the user's device
2. Webapp loaded and run entirely through a browser
3. The Admin interface for an e.g. wordpress website (is the website itself an app, or just the administrator UI, or neither?)
4. PWA downloaded and run "standalone" as an app with a desktop icon and no "browser-chrome"
5. A REPL in a browser tab
6. SaaS product of any type
7. Discrete tooling to make software, such as a workflow or action in CI/CD
8. A CLI tool like iftop / curl
9. A docker container
n. Others I am probably forgetting.
This is likely to keep coming up, so maybe worthwhile workshopping at FOSDEM.
--
Denjell
Hi Florian,
I'm also interested in this question. A lot of software does not have a
network connection and if it has one, it could be removed.
The network connection is not mentioned in any way in the EC flowchart
from last FOSDEM. I'm almost convinced that it is a remnant from CRA
history.
How do we treat it legally? PLD, which does not have the network clause,
will indirectly enforce CRA for all software so I don't think it matters
much in practice but it's still weird.
If nobody has any insights we should put this question on the FOSDEM agenda.
Am 28.12.24 um 19:58 schrieb Idelberger, Florian (IIWR) via
open-regulatory-compliance:
> Hey All,
>
> One question I have asked myself but haven’t found a satisfactory answer to yet - are there any products that are exempt by not (directly or indirectly) being used with a network connection? Arguably, the product categories are quite broad, so it seems almost
this requirement does not really matter. But then why not extend it to all products, independent if they have a network connection or not? Is this just a product of the CRAs legislative history?
>
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
|
