| [open-regulatory-compliance] Placing software on the market - General issues |
|
Dear Colleagues,
I have a question regarding your views on the placing on the market of software.
I appreciate your thoughts on it since the new EC CRA FAQ has currently a different view on software…
Case:
A manufacturer finished the development of software 1.0 and makes it downloadable on a website and an app store for European customers. European customers download the software from the website or the app store.
Statement 1:
Software 1.0 is the product with digital elements, and the first download is the first making available – placing on the market – of software 1.0. Any other download of software 1.0 is another making available. Any other
distribution via distribution channels are other instances of making available of software 1.0. Placing on the market of software 1.0 can happen only once.
Statement 2:
When software 1.0 has been modified or repaired to 1.1 and this is not considered as a substantial modification, the download and distribution of software 1.1 is still making available.
Statement 3:
When software 1.0 has been modified or repaired to 2.0 and this modification is seen as a substantial modification, the first download of software 2.0 is the first making available on the market – placing on the market.
Question:
What is seen as a product regarding software? Do you agree to this view and statements?
This is a crucial viewpoint for Support Period and legacy products. In that view, Legacy software is still downloadable on the website without the danger of falling under the CRA.
Evidence 1 – Blue Guide 2.2:
The making available of a product supposes an offer or an agreement (written or verbal) between two or more legal or natural persons for the transfer of ownership, possession or any other right(44)concerning the product
in question after the stage of manufacture has taken place. The transfer does not necessarily require the physical handover of the product.
Evidence 2 – Blue Guide 2.4:
Products offered for sale online or through other means of distance sales [DOWNLOAD] are deemed to be made available on the Union market if the offer is targeted at end users in the Union. […] An offer for sale [WEBSITE
for DOWNLOAD] is considered to be targeted at end users in the Union if the relevant economic operator directs, by any means, its activities to a Member State. The assessment of whether or not a website located inside or outside the EU targets EU end-users
has to be carried out on a case-by-case basis, taking into account any relevant factors such as the geographical areas to which dispatch is possible, the languages available used for the offer or for ordering, payment possibilities, etc. The mere fact that
the economic operators’ or the intermediaries’ website is accessible in the Member State in which the end user is established or domiciled is insufficient. When an online interface provides for delivery in the EU, accepts payment by EU consumers/end-users
and uses EU languages, then it can be considered that the operator has expressly chosen to supply products to EU consumers or other end-users. The physical delivery [DOWNLOAD] to end-users in the EU of a product ordered from a given online seller based outside
the EU, including by a fulfilment service provider [EU APP STORE], gives irrefutable confirmation that a product is placed on the EU market.
Evidence 3 – Blue Guide 2.1 - Repairs and modifications to products
After they are placed on the market, products [SOFTWARE] may be subject to life extension processes. While some of these processes intend to maintain or restore the product to its original condition [QUALITY UPDATE],
others imply that substantial modifications are made to the product [FUNTIONAL UPGRADE].
A product, which has been subject to important changes or overhaul after it has been put into service [is not in the CRA, but we assume the use of a software] must be considered as a new product if:
i) its
original performance, purpose or type is modified, without this being foreseen in the initial risk assessment;
ii) the
nature of the hazard [threat] has changed or the level of risk has increased in relation to the relevant Union harmonisation legislation; and
iii) the
product is made available (or put into service if the applicable legislation also covers putting into service within its scope).
This has to be assessed on a case-by-case basis and, in particular, in view of the objective of the legislation and the type of products covered by the legislation in question.
Mit den besten Grüßen, Steffen Zimmermann Leiter Competence Center Industrial Security VDMA e. V. Abteilung Informatik Lyoner Straße 18 60528 Frankfurt am Main Telefon +49 69 6603-1978 E-Mail steffen.zimmermann@xxxxxxx Internet vdma.eu/cybersecurity LinkedIn linkedin.com/in/industrialsecurity/ Der VDMA im Web Vereinsregister beim Amtsgericht Frankfurt am Main, Nr. VR4278 Präsident: Bertram Kawlath Hauptgeschäftsführer: Thilo Brodtmann Diese E-Mail einschließlich ihrer Anhänge ist vertraulich und daher allein für den Gebrauch durch den vorgesehenen Empfänger bestimmt. Dritten ist das Lesen, Verteilen oder Weiterleiten
dieser E-Mail nur mit ausdrücklicher Zustimmung erlaubt. Wir bitten, eine fehlgeleitete E-Mail unverzüglich vollständig zu löschen und uns eine Nachricht zukommen zu lassen. Sofern diese E-Mail oder ihre Anhänge Informationen enthalten, die erkennbar von Dritten
stammen, übernehmen der VDMA, seine Gliederungen und Töchter keine Haftung für diese. Insbesondere macht sich der VDMA diese Informationen nicht zu Eigen. Wir nehmen den Schutz Ihrer personenbezogenen Daten und deren vertrauliche Behandlung sehr ernst. Wir
verarbeiten Ihre personenbezogenen Daten im Rahmen der Verbandsmitgliedschaft und/oder Ihrer Geschäftsbeziehung mit uns. Allgemeine Informationen über den Umfang der Verarbeitung Ihrer personenbezogenen Daten und über Ihre Datenschutzrechte finden Sie unter vdma.eu/datenschutz. |
