Dear Tobie, all,
when seeing these two types of views, look at the effects for modifications.
Case 1 – software version is the product
When changing the software, minor changes would mean just a making available again, and substantial changes would lead to a new placing on the market.
-> This is the recital 39 stating and supporting
Case 2 – software download is the product
When chaning the software, there is no need to look at the severity of the change, because every download is a new placing on the market
-> Recital 39 would not work
Given that, I still see case 1 as the right approach!
Recital 39:
As is the case for physical repairs or modifications, a product with digital elements should be considered to be substantially modified by a software change where the software update
modifies the intended purpose of that product and those changes were not foreseen by the manufacturer in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity risk has increased because of the software update,
and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity risk of a product with digital elements does not modify the intended purpose of a product with digital
elements, it is not considered to be a substantial modification. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update addresses a known vulnerability,
including by modifying functions or the performance of a product with digital elements for the sole purpose of decreasing the level of cybersecurity risk. Similarly, a minor functionality update, such as a visual enhancement or the addition of new pictograms
or languages to the user interface, should not generally be considered to be a substantial modification. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with digital elements and meets the
above criteria, it should be considered to be a substantial modification, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk. For example, this could be the case where a new input element
is added to an application, requiring the manufacturer to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modification it is not relevant whether it is provided as a separate update or in combination
with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modification.
Viele Grüße,
Steffen Zimmermann
Industrial Security @ VDMA
From my reading of the Blue Guide, the product is the specific item that is part of a transaction between two (or more) parties, so it's the download in your example.
This reading is coherent with, for example, the obligations for manufacturers to keep a copy of the documentation for 10 years after the product is placed on the market (Article
13(13)). In a reading where product means a type of product (and not an individual product), it would imply that if you sell the same product for 12 years, you no longer have to provide documentation for it in the last two years, which makes no sense.
OTOH, in a reading where product describes an individual item, this means that you have to keep the documentation for 10 years after your last sale. That's a lot more logical imho.
Dear Tobie,
the elephant in the room is the question on how to deal with the word product. There are two options.
The software is the product or the download is the product. The FAQ supports somehow both views.
Define product = software 1.0
If (software 1.0 == product) then download(product)=making.available
Define product = download(software 1.0)
If (software 1.0 == product) then download(product)=placing.on.the.market
Viele Grüße,
Steffen Zimmermann
Industrial Security @ VDMA
Hi Steffen,
Thanks for your great questions. Please see my comments inline. I'm happy to discuss this in person if needed. This is a complicated topic, and while
my confidence in my understanding of this area is increasing, I might still be very wrong.
Dear Colleagues,
I have a question regarding your views on the placing on the market of software.
I appreciate your thoughts on it since the new EC CRA FAQ has currently a different view on software…
The FAQ has been shared publicly so most folks haven't had access to it. I've only skimmed through it so far, so please take my comments with a grain
of salt.
Case:
A manufacturer finished the development of software 1.0 and makes it downloadable on a website and an app store for European customers. European customers download the software from the website or the
app store.
Statement 1:
Software 1.0 is the product with digital elements, and the first download is the first making available – placing on the market – of software 1.0. Any other download of software 1.0 is another making
available. Any other distribution via distribution channels are other instances of making available of software 1.0. Placing on the market of software 1.0 can happen only once.
From my understanding, this is not the correct interpretation of what
placing on the market means. Blue
Guide 2.3 specifically states that: "As for ‘making available’, the concept of placing on the market refers to each individual product, not to a type of product, and whether it was manufactured as an individual
unit or in series."
The distinction between
placing and making available is that placing is the first time an individual product enters the EU market, whereas
making available can happen multiple times, for example as a product is sold to an importer, which then resells it to a national distributor, which itself sells it to a consumer.
This is easier to understand with physical goods. The importer imports 300 connected washing machines. Each washing machine is
placed on the market as they are imported (so there are 300 distinct made available on the market
"events" and as many placed on the market "events"). The importer sells 200 of those to the French distributor (that's 200
made available "events") and 100 to the Spanish distributor (that's 100 made available "events"). The Spanish seller now sells 5 washing machines (that's 5 additional made available "events"), the french one sells none. So the total here
would be: 300 placed events, 605 made available events.
I do agree that this is quite weird for software, but the same idea applies. And so in your example, every new sale is both a new placement and making
available at the same time.
Statement 2:
When software 1.0 has been modified or repaired to 1.1 and this is not considered as a substantial modification, the download and distribution of software 1.1 is still making available.
Falling from my explanation above, I don't believe that's correct. Every new purchase is a placement on the market.
Statement 3:
When software 1.0 has been modified or repaired to 2.0 and this modification is seen as a substantial modification, the first download of software 2.0 is the first making available on the market – placing
on the market.
All separate new purchases of v2 will be a separate new placing on the market event, as
it was for V1.
Question:
What is seen as a product regarding software? Do you agree to this view and statements?
This is a crucial viewpoint for Support Period and legacy products. In that view, Legacy software is still downloadable on the website without the danger of falling under the CRA.
My belief is that it is not the case. Any software sold once the full application of the law kicks in, whether legacy or not, is immediately subject
to the CRA for that particular sale.
However, the same software sold the night before won't be.
Happy to discuss more and/or turn some of this into FAQs.
Principal & Managing Partner, UnlockOpen
