Jasmin HulkkoMar 6
Mirko Swillus

This week the European Commission published the draft for a guidance document for the Cyber Resilience Act (CRA). It is 70 pages, but contains some helpful examples and flowcharts, like this one, making it accessible even to Open Source folks with limited time.

Here: Quick guidance for the question if your FOSS component is in scope for the CRA, and if so, wether you're deemed a steward or manufacturer in regards of the component.

#opensource #cra

Mar 6 at 9:37amWeb
Show threadMirko SwillusMar 6
Link (feedback possible until March 31): https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en
Show threadJonathan Schofield6d ago

@mechko how about *not loading anything on a not very old phone doesn’t seem very, er, cyber-resilient*?

Sending text across a hypertext protocol is so hard these days

Show threadadvokattMar 6
@mechko nice chart. some boxes are not always easy to answer, though. product with digital elements? placed on the market? part of commercial activity? uh-oh
Show threadMirko SwillusMar 6

@km Yeah, I feel you.

Not a legal advice, but 'product with digital elements' just comes down to "everything with software in it and a connection to the outer world, and is somewhat 'shipped' - i.e. pure SaaS is not in scope"

'placed on the market' and 'commercial activity': The examples are worth having a look to get a feel, this is example 21 on page 18 for instance:

Show threadadvokattMar 6

@mechko some saas-y parts could be in scope though.

recently i browsed the CRA FAQ, and interpretation of what could be a "connection" in the FAQ surprised me. see the calculator example.

https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act-implementation-frequently-asked-questions

Cyber Resilience Act implementation - Frequently asked questions

Find the frequently asked questions on the implementation of the Cyber Resilience Act (CRA).

Shaping Europe’s digital future
Show threadMirko SwillusMar 6

@km The component needs to be "placed on the market". As I understand it, providing a service is not. Different story: If there is a mobile app connecting to that SaaS service.

The calculator-application example is indeed interesting, thanks for sharing!

Show threadadvokattMar 6

@mechko CRA covers remote data processing: "data processing at a distance [...] the absence of which would prevent the product with digital elements from performing one of its functions"

"[c]loud enabled functionalities provided by a manufacturer of smart home devices that enable users to control the device at 2a distance fall within the scope of [CRA]."

calculator was ... surprising!

Show threadmike morrisMar 6
@mechko @km
I'm confused by the box asking about "commercial activity"... what would one answer for dual-licenced software/library? (i.e. One with an OS licence for OS use, with an option for a commercial licence for commercial use.)
Show threadMirko SwillusMar 6
@mikro2nd @km No legal advice, but I'd say the license is not important, it's rather the question if there is a legal person which "sells" the software on the European single market.
Show threadcubeos6d ago
@mikro2nd @mechko @km No legal advice, but one non-profit I know with dual license decided to move everything to a single standard OSS license to make sure they are considered a steward and not a manufacturer under the CRA.
Show threadMirko Swillus6d ago

@cubeos @mikro2nd @km Mhm ja, I‘d rather look twice prior to creating a lot of effort and distraction for everyone involved. The license itself isn‘t the differentiator here.

(again, no legal advice either 😅)

Show threadNumerfoltMar 6
@mechko That already looks way easier to understand, nice!
Show threadLars WirzeniusMar 6
@mechko Thank you, this helps guide my process in understanding the CRA. I've been thinking that I want to try to offer my time and maybe support contracts for a side project or two. That'd probably make me a manufacturer. I'll be reading the actual CRA text in the near future.
Show threadMirko SwillusMar 6

@liw One interesting distinction already is that manufacturers can only be legal persons. Again, no legal advice ;)

So, no matter if you place something on the market by just offering a support contract (certainly not), as a freelancer you're a natural person, not a legal person. Look at the flowchart, in this case you can't be deemed a manufacturer.

Show threadLars WirzeniusMar 6
@mechko For tax and other reasons I would do this as my company.
Show threadMirko SwillusMar 6
@liw Ahja, but again, you might want to look at page 17 of the draft guidance:
Show threadLars WirzeniusMar 6

@mechko Skimming other parts of the draft guidance I get the impression that getting paid for development is also not going to be a problem. But I'll read through everything to make sure I don't miss anything.

Thank you for the pointers. Very helpful.

Show threadmirabilos6d ago
@mechko I cannot help but read that as “Clan Restoration Act” 😹 but thank you for that useful diagram!