This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.
Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.
@km Yeah, I feel you.
Not a legal advice, but 'product with digital elements' just comes down to "everything with software in it and a connection to the outer world, and is somewhat 'shipped' - i.e. pure SaaS is not in scope"
'placed on the market' and 'commercial activity': The examples are worth having a look to get a feel, this is example 21 on page 18 for instance:
@mechko some saas-y parts could be in scope though.
recently i browsed the CRA FAQ, and interpretation of what could be a "connection" in the FAQ surprised me. see the calculator example.
@km The component needs to be "placed on the market". As I understand it, providing a service is not. Different story: If there is a mobile app connecting to that SaaS service.
The calculator-application example is indeed interesting, thanks for sharing!
@mechko CRA covers remote data processing: "data processing at a distance [...] the absence of which would prevent the product with digital elements from performing one of its functions"
"[c]loud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at 2a distance fall within the scope of [CRA]."
calculator was ... surprising!
Mirko Swillus
advokatt
mike morris
cubeos