Hi Tobie, all,
your assumptions are of course based on Case 2 and you look on the same problem from the other side, and therefore don’t convince me
😃
Even to wipe away the foreseen distinction between making available and placing on the market in the CRA makes me believe for good reasons that the view on software
version as the product is right.
Let me introduce you therefore another example for consideration of Case 1:
Example: Madden NFL 26 – Distribution on physical media.
The game is available through the PS Store and via Mediamarkt. Gamers can download it directly or buy the Disc in the local store.
Case 1:
The game is the product. The manufacturer distributes the discs to multiple stores over time. The signed contract and the physical hand-over are a making available.
When this happens the first time for the game, then this is the placing on the market.
Case 2:
The disc is the product. The manufacturer distributes the discs to multiple stores over time. Every disc is a single instance of the product and the distribution over
time leads to multiple placing on the market, based on production date of the physical disc. With every disc the support period has to be addressed for the disc, and not the software itself. Substantial modification would be linked to the disc, which is a
ROM and cannot get modified.
Conclusion:
The download is just one distribution channel like a physical media and therefore cannot be seen as the product.
Viele Grüße,
Steffen Zimmermann
Industrial Security @ VDMA
Von:
Tobie Langel <tobie@xxxxxxxxxxxxxx>
Datum: Donnerstag, 16. Oktober 2025 um 13:29
An: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Steffen Zimmermann <steffen.zimmermann@xxxxxxx>
Betreff: Re: [open-regulatory-compliance] Placing software on the market - General issues
I don't think recital 39 contradicts my understanding. Recital 39 used languages essentially lifted from
Blue Guide 2.1 Product Coverage / Repairs and modifications to products. I believe that section uses the term "made available" instead of "placed on the market" because it wants to encompass in its requirements individual products sitting in a warehouse
somewhere (so already placed on the market), but which haven't reached their final customers yet (so still subject to being made available). This is to avoid companies being able to game the system by shipping safe products in the EU, and then modifying them
remotely to unlock additional (unsafe) features that would not be subject to the initial assessment (which happens at placement). For downloaded software this is irrelevant as both placing and making available happen at the same time, but the language stays.
The whole purpose of Recital 39 is to explain how substantial modifications apply to software in order to set up Recital 40 which explains that if you provide a new major version of your software for free
to existing customers and their existing hardware supports it, you don't need to continue supporting your previous version. So I don't think it is making any statements as to substantial modification triggering a new placement event or anything of that kind.
Again, happy to discuss more.
Dear Tobie, all,
when seeing these two types of views, look at the effects for modifications.
Case 1 – software version is the product
When changing the software, minor changes would mean just a making available again, and substantial changes would lead to a new placing
on the market.
-> This is the recital 39 stating and supporting
Case 2 – software download is the product
When chaning the software, there is no need to look at the severity of the change, because every download is a new placing on the market
-> Recital 39 would not work
Given that, I still see case 1 as the right approach!
Recital 39:
As is the case for physical repairs or modifications, a product with digital elements should be considered to be substantially modified by a software
change where the software update modifies the intended purpose of that product and those changes were not foreseen by the manufacturer in the initial risk assessment, or where the nature of the hazard has changed or the level of cybersecurity risk has increased
because of the software update, and the updated version of the product is made available on the market. Where a security update which is designed to decrease the level of cybersecurity risk of a product with digital elements does not modify the intended purpose
of a product with digital elements, it is not considered to be a substantial modification. This usually includes situations where a security update entails only minor adjustments of the source code. For example, this could be the case where a security update
addresses a known vulnerability, including by modifying functions or the performance of a product with digital elements for the sole purpose of decreasing the level of cybersecurity risk. Similarly, a minor functionality update, such as a visual enhancement
or the addition of new pictograms or languages to the user interface, should not generally be considered to be a substantial modification. Conversely, where a feature update modifies the original intended functions or the type or performance of a product with
digital elements and meets the above criteria, it should be considered to be a substantial modification, as the addition of new features typically leads to a broader attack surface, thereby increasing the cybersecurity risk. For example, this could be the
case where a new input element is added to an application, requiring the manufacturer to ensure adequate input validation. In assessing whether a feature update is considered to be a substantial modification it is not relevant whether it is provided as a separate
update or in combination with a security update. The Commission should issue guidance on how to determine what constitutes a substantial modification.
Viele Grüße,
Steffen Zimmermann
Industrial Security @ VDMA
From my reading of the Blue Guide, the product is the specific item that is part of a transaction between two (or more) parties, so it's the download
in your example.
This reading is coherent with, for example, the obligations for manufacturers to keep a copy of the documentation for 10 years after the product is
placed on the market (Article
13(13)). In a reading where product means a type of product (and not an individual product), it would imply that if you sell the same product for 12 years, you no longer have to provide documentation for it in the last two years, which makes no sense.
OTOH, in a reading where product describes an individual item, this means that you have to keep the documentation for 10 years after your last sale. That's a lot more logical imho.
Dear Tobie,
the elephant in the room is the question on how to deal with the word product. There are two options.
The software is the product or the download is the product. The FAQ supports somehow both views.
Define product = software 1.0
If (software 1.0 == product) then download(product)=making.available
Define product = download(software 1.0)
If (software 1.0 == product) then download(product)=placing.on.the.market
Viele Grüße,
Steffen Zimmermann
Industrial Security @ VDMA
Hi Steffen,
Thanks for your great questions. Please see my comments inline. I'm happy to discuss this in person if needed. This is a complicated topic, and while
my confidence in my understanding of this area is increasing, I might still be very wrong.
Dear Colleagues,
I have a question regarding your views on the placing on the market of software.
I appreciate your thoughts on it since the new EC CRA FAQ has currently a different view on software…
The FAQ has been shared publicly so most folks haven't had access to it. I've only skimmed through it so far, so please take my comments with a grain
of salt.
Case:
A manufacturer finished the development of software 1.0 and makes it downloadable on a website and an app store for European customers. European customers download the software from the website or the
app store.
Statement 1:
Software 1.0 is the product with digital elements, and the first download is the first making available – placing on the market – of software 1.0. Any other download of software 1.0 is another making
available. Any other distribution via distribution channels are other instances of making available of software 1.0. Placing on the market of software 1.0 can happen only once.
From my understanding, this is not the correct interpretation of what
placing on the market means. Blue
Guide 2.3 specifically states that: "As for ‘making available’, the concept of placing on the market refers to each individual product, not to a type of product, and whether it was manufactured as an individual
unit or in series."
The distinction between
placing and making available is that placing is the first time an individual product enters the EU market, whereas
making available can happen multiple times, for example as a product is sold to an importer, which then resells it to a national distributor, which itself sells it to a consumer.
This is easier to understand with physical goods. The importer imports 300 connected washing machines. Each washing machine is
placed on the market as they are imported (so there are 300 distinct made available on the market
"events" and as many placed on the market "events"). The importer sells 200 of those to the French distributor (that's 200
made available "events") and 100 to the Spanish distributor (that's 100 made available "events"). The Spanish seller now sells 5 washing machines (that's 5 additional made available "events"), the french one sells none. So the total here
would be: 300 placed events, 605 made available events.
I do agree that this is quite weird for software, but the same idea applies. And so in your example, every new sale is both a new placement and making
available at the same time.
Statement 2:
When software 1.0 has been modified or repaired to 1.1 and this is not considered as a substantial modification, the download and distribution of software 1.1 is still making available.
Falling from my explanation above, I don't believe that's correct. Every new purchase is a placement on the market.
Statement 3:
When software 1.0 has been modified or repaired to 2.0 and this modification is seen as a substantial modification, the first download of software 2.0 is the first making available on the market – placing
on the market.
All separate new purchases of v2 will be a separate new placing on the market event, as
it was for V1.
Question:
What is seen as a product regarding software? Do you agree to this view and statements?
This is a crucial viewpoint for Support Period and legacy products. In that view, Legacy software is still downloadable on the website without the danger of falling under the CRA.
My belief is that it is not the case. Any software sold once the full application of the law kicks in, whether legacy or not, is immediately subject
to the CRA for that particular sale.
However, the same software sold the night before won't be.
Happy to discuss more and/or turn some of this into FAQs.
Principal & Managing Partner, UnlockOpen
_______________________________________________
open-regulatory-compliance mailing list
open-regulatory-compliance@xxxxxxxxxxx
To unsubscribe from this list, visit
https://accounts.eclipse.org
|
