WEBVTT

00:00.000 --> 00:15.680
Hi, everyone. Welcome to the next talk, CRA integration. How to use open source tools to ensure

00:15.680 --> 00:25.720
your company is compliant to this cyber resilience act. Welcome to Florian Hackel and Anika

00:25.720 --> 00:38.440
Kaniman. And thank you and welcome from our side. We are very happy that we are

00:38.440 --> 00:45.720
allowed to speak here today at first. First of us, I'd like to introduce us my name

00:45.720 --> 00:54.120
as Anika Niemann, my colleague, Florian Hackel. And we are both lawyers and work at a law firm

00:54.120 --> 01:01.720
in Germany. We are something about 25 lawyers there, all specialized in IT law and the most

01:01.720 --> 01:11.720
of us with the focus for compliance. But we also advise on the CRA and on the I act and

01:12.200 --> 01:20.280
everything related to IT law. And today we want to talk about how first compliance measures

01:20.280 --> 01:28.920
support CRA obligations. Okay, we want to start with a short thesis. In general, our aim for this

01:28.920 --> 01:35.800
talk was how can first compliance support CRA readiness. And that is also the picture that you can

01:35.800 --> 01:45.720
see here in the background from our point of view. There is an issue or a topic that you can use

01:45.720 --> 01:51.640
your already existing first compliance to get ready for the CRA and that is symbolized by this

01:51.640 --> 01:59.400
bridge. And that's a very interesting thesis. And we thought we would like to offer you a special

01:59.480 --> 02:05.640
experience today and give you a short insight and our everyday work. And that's why for the next

02:05.640 --> 02:14.280
20 minutes, I will be a manager of a company with many questions through my lawyer, which I have

02:14.280 --> 02:21.080
to ask regarding the CRA. Okay, well let's start. First of all, let's quickly frame

02:21.080 --> 02:26.760
why first compliance suddenly matters so much more than a few years ago. Okay, so it's not

02:27.720 --> 02:33.400
any more just I don't want to get sued because of some copyright stuff, but it's more now.

02:33.400 --> 02:40.120
Yeah, today leaving exposure all the comes from the security vulnerability and especially in

02:40.120 --> 02:45.240
open source components because most of all, so proprietary code is open source now. We all know

02:45.240 --> 02:52.920
that. For example, think about a security system of a company that gets hacked because of

02:53.880 --> 02:57.880
a small vulnerability issue and an open source component. You have the manufacture are

02:58.760 --> 03:05.080
liable for that. Everyone with you and wants your money for that. Therefore, it's really important now.

03:05.640 --> 03:13.240
Okay, so not only copyright issues anymore, but also product liability. Yeah, even before this

03:13.240 --> 03:18.440
year A, there are already many customers or suppliers, things like that that have in

03:18.440 --> 03:24.680
their contracts, indemnification clauses, that assume that you as the manufacturing

03:24.680 --> 03:30.440
are actually now, which was used and on which license as you use it. And you've already mentioned

03:30.440 --> 03:35.400
the CRA, so this is the pivot point of all of this, correct? It is. It goes on top of that.

03:35.400 --> 03:40.680
Now with this year A, you don't only have, with a contractual obligations, but also

03:41.080 --> 03:47.800
regulation basis, where a thumb on, for example, an official attended entity can

03:49.000 --> 03:55.560
get it forth, all the obligations. There are fines. It's even a market entry point if you don't

03:55.560 --> 04:01.480
for through the regulation of CCRA. So a lot of a company has to oversee here.

04:02.840 --> 04:08.200
Yeah, and that's only about your own stuff. If you have a supply chain with a lot of suppliers in mind,

04:08.920 --> 04:14.440
it's getting even, I would not say worse, but more complicated, because you're not only

04:14.440 --> 04:18.360
responsible for your own stuff, but all the for everything that comes from your supplier.

04:20.840 --> 04:26.440
So what I fear is this huge amount of regulations, because I mean, this is not only to

04:26.440 --> 04:33.240
CRA, but we have data protection law, we have the IAC and to be honest, I do not even know where

04:33.320 --> 04:39.160
I can start here. I think that is a point where most of you and our other clients are struggling,

04:39.160 --> 04:45.480
because they all see these imminent threats of different regulations coming closer and closer

04:45.480 --> 04:52.280
without any idea what to do. But the good thing about them is they're all on the same basis.

04:52.280 --> 04:59.560
All of them tried to aim in a similar direction or one-time obligations to be fulfilled, therefore,

04:59.560 --> 05:04.360
if you know about the regulations. And now, how the interact, which is other, you can get

05:05.240 --> 05:11.480
summaries of obligations and perform them to fulfill different specifications of all the regulations.

05:11.480 --> 05:21.400
One example for the GDPR, NCRA both asks for privacy, security by default, or privacy by default,

05:21.400 --> 05:28.040
or by design, and both of them can be fulfilled by a good technical execution of your software,

05:28.120 --> 05:32.120
creating an S-form, things like that, and that helps a lot that you don't have this

05:32.120 --> 05:40.360
mass of regulations that you can fulfill. So I see there is an overlapping, but it's not only

05:40.360 --> 05:48.280
only this huge amount of regulations, but we also have many, many tools. And if I understood

05:48.280 --> 05:54.600
you correctly, we have to classify all of them to be sure that we are compliant. But again,

05:54.600 --> 06:01.240
I wouldn't use all the software or treat all the software the same way. I would try to funnel them

06:01.240 --> 06:06.840
as we describe on this picture and to start with, if you don't have anything in mind yet,

06:06.840 --> 06:13.480
start with an easier attempt. It is three-dimensional from our perspective, and I would start with

06:13.480 --> 06:20.920
the customer risk, though, everything that goes to your customer first level. Every step you can perform,

06:21.000 --> 06:26.440
S-form, evaluation manually, automated, everything you can think about it, do it. On the other

06:26.440 --> 06:32.040
hand, pecking to a third level, you have, for example, the in-group stuff, everything that goes to

06:32.040 --> 06:37.400
sister company, mother companies, a bit of effort, but not that much, and everything you use

06:37.400 --> 06:44.040
internally, I would not say forget it, but see me automated process with a bit of documentation

06:44.120 --> 06:53.160
should be enough. And if you want to adjust this, would they rather an easy level system,

06:53.160 --> 06:58.120
then you can include, for example, points like do a half a supply chain. There are a lot of

06:58.120 --> 07:03.480
suppliers here, one, two, three, then you have to level up your project because it's much more

07:03.480 --> 07:08.520
difficult to get all the necessary information or do you have code from one of your own developers

07:08.520 --> 07:15.160
with five to ten components, that is easy to handle. Okay, I understand it's a risk,

07:15.160 --> 07:22.840
page approached approach, so to speak, and I can focus on the high risk products and spend all

07:22.840 --> 07:29.640
the effort on them and all the others come later. Let's correct, let's see idea behind it, don't

07:29.640 --> 07:36.600
get panic, try to funnel for the relevant projects, spend much of your effort, you write your

07:36.680 --> 07:43.720
80% into them, document the rest, if one of the officially departments come to ask you for that,

07:43.720 --> 07:50.120
but in the end, don't treat them like every customer software you have. Okay, so that already

07:50.120 --> 07:56.760
sounds much more manageable for us, if you pay attention to the high risk products at first.

07:58.520 --> 08:04.280
Okay, the next thing is when we talk about risk levels, you have this assembly line.

08:07.240 --> 08:15.800
Yeah, exactly, I see the assembly line here, because I need a, I see this assembly line,

08:15.800 --> 08:23.480
but what I need beyond this is a guideline, I need to know what I have to do for the single

08:23.480 --> 08:31.880
products we produce. That is where you need a positive framework, because the risk level is only

08:31.880 --> 08:36.680
the first level on your compliance process. When you have the risks for your product, is it's

08:36.680 --> 08:42.040
really relevant to evaluate, okay, for which of the risks I do what, um,

08:42.040 --> 08:48.840
procedure in the end to fulfill the specifications. Um, with our first example, level 1 to 3,

08:48.840 --> 08:54.920
level 1, you need the S-bomb, you need, um, the cybersecurity team to evaluate vulnerabilities,

08:54.920 --> 09:01.080
you need it, if you go a bit aside from the CRA, a legal team though, me and my colleague, for example,

09:01.160 --> 09:05.800
to evaluate, do you have licensed preaches? What about the interaction of components? So a lot of

09:05.800 --> 09:10.600
work, a lot of effort, but everything should be in this policy framework on the other side,

09:10.600 --> 09:16.680
third level, um, bit of documentation that should be good enough. So the, the compliance level,

09:16.680 --> 09:21.160
um, must be, must be graduated, um, depends on the, on the risk level.

09:24.200 --> 09:29.400
Um, that's right, that should be the result, and when you have this technical level of your compliance

09:29.480 --> 09:35.800
process, the third step should be for each, pre-feature or step of this, um, compliance or

09:35.800 --> 09:41.800
policy framework, you should have concrete rules, who do what? Now, it's relevant that each of

09:41.800 --> 09:48.040
these step is, um, uh, pointed to one of the persons in your company. For example, the S-bomb

09:48.040 --> 09:52.680
should be created by the deaf team in this year as a deep pipeline. Um, the vulnerability check

09:52.760 --> 09:59.320
done by your security team. And, um, yeah, the legal point, easy to handle, the legalist,

09:59.320 --> 10:05.320
like us, we'll do the license evaluation. Okay, so let's think about this perfect world.

10:05.320 --> 10:10.280
Um, I, I'm in line with all the regulation you just mentioned, but I'm a little worried about

10:10.280 --> 10:15.320
the following situation. The authorities are knocking at my door and asked for proof that I

10:15.320 --> 10:21.160
fulfill all this regulation. So it says some way, I need to document or I need to, um, provide

10:21.160 --> 10:27.880
information to them. And it would say the, the most legally answer would be document everything.

10:27.880 --> 10:33.880
So if you can from the first step to the, the S-bomb, to the evaluation, to each decision,

10:33.880 --> 10:39.560
your legal, your security team performs, document them as good as you can, at best at one

10:39.560 --> 10:45.960
system, that you have everything ready and available if one of the authorities or, uh,

10:46.120 --> 10:51.240
third party asks for it. But, um, and now this is a bit of a hard attempt if you don't know

10:51.240 --> 10:56.440
what to do, but there are already great templates. You can use for that. For example, the open

10:56.440 --> 11:04.680
chain security assurance template or ISO 5203, all of them are from our point of view, um,

11:04.680 --> 11:11.160
an audit ready structure for espontaneration and false processing. Okay, thank you. Um,

11:11.240 --> 11:16.440
I think I get an understanding. So let me sum up, um, this strategy you just, you just

11:16.440 --> 11:23.080
developed. So first of all, um, I know I understood that I do not have to analyze all my products the

11:23.080 --> 11:29.560
same way, but I can start with the high risk products and then, um, focus on the lowest, uh, low

11:29.560 --> 11:37.480
risk products later. And, um, you agreed there are many regulations. However, um, there are, um,

11:37.560 --> 11:43.800
overlapping means, uh, with a single measure, I can cover, um, different, uh, different rules

11:43.800 --> 11:50.440
and different regulations. So that's, um, less effort for me and for our company. And, um,

11:50.440 --> 11:56.040
based on this understanding, I have now, um, an idea comes up because we already have, um,

11:56.040 --> 12:03.080
false compliance strategy. And, um, here we use, uh, common, uh, scan tools like

12:03.080 --> 12:09.960
phosology or the odd scan. Um, and only for the high risk products, we switch to commercial,

12:09.960 --> 12:17.240
uh, options when we need this depth and analyze. Um, and what I also thought about is we can, um,

12:17.240 --> 12:23.720
get in touch with our open source product, uh, project office, uh, Ospo. Um, because they know

12:23.720 --> 12:29.160
the code very well. So they can analyze the code. They can, um, help us to create the, uh,

12:29.160 --> 12:33.960
as well and also, um, can support, um, regarding the documentation stuff.

12:35.560 --> 12:41.560
That's all it's good. Um, um, okay, great, because now I started to see a picture here.

12:41.560 --> 12:50.600
But, uh, we haven't spoken about another point yet. Um, and, um, this is, um, security. Um,

12:50.600 --> 12:57.480
the thing is, um, even if I know my code, how can I identify, uh, vulnerability issues?

12:58.440 --> 13:02.920
And that is where our first picture comes into place, because the basis for your first

13:02.920 --> 13:07.960
evaluation is your S-bomb. The thing you already generated, um, you already named them good tools,

13:07.960 --> 13:13.880
like, for example, or, or now I know, uh, uh, sift of the tool I heard from, uh, a talk earlier

13:13.880 --> 13:19.240
that there is a new project, or for me, it wasn't just you, which is called S-bombify. So try them

13:19.240 --> 13:27.320
out, um, all of them are good, I think, and this S-bomb that you created. Um, it has a bit different

13:27.320 --> 13:33.640
I would say, including regarding false compliance or CRA, but if you have a standard system,

13:33.640 --> 13:38.840
you can take the B-s-bomb for everything and then do a cross-reference. You put it to your

13:38.840 --> 13:44.920
legal team on the left side for the false evaluation, um, at best with automated pre-filter,

13:44.920 --> 13:51.560
and less human evaluation. And on the other hand, you have your security team, which can, um,

13:51.560 --> 13:59.640
then, um, reference it to, for example, CVE or NVD database to get, um, already known vulnerabilities

13:59.640 --> 14:04.680
and then perform their vulnerability check. So that means we can, we can just use the information,

14:04.680 --> 14:11.640
we got, uh, we got from our open source compliance process and, um, build the vulnerability check

14:11.640 --> 14:18.680
just on it. Yeah, and that is the point from, from our perspective and how our clients experience

14:19.240 --> 14:27.320
it, um, how CRA becomes achievable because it demands from you to evaluate and manage your vulnerabilities

14:27.320 --> 14:33.000
and how could you do that if you don't know what's inside your software. Yeah, that's the crucial

14:33.000 --> 14:39.240
point, what's in our software, but, um, we also receive a software from suppliers and we do not

14:39.240 --> 14:44.520
know the software very well. I mean, for our own software, we know, um, what open source part, uh,

14:44.600 --> 14:50.280
what open source components we used, um, but, um, when we receive code from our suppliers,

14:50.280 --> 14:55.560
it's hard to analyze the sometimes and, um, how can I be sure that we, they are compliant with

14:55.560 --> 15:01.480
all the rules. Um, often from supply, it's, um, much more difficult because, um, for your own code,

15:01.480 --> 15:05.480
as you said, you know everything about it. From suppliers, it can be that you get an entirely

15:05.480 --> 15:10.200
black box. You just get some binders in the end and executable. You have to work with that

15:10.280 --> 15:16.440
and the first step for your future CRA compliance should be to look into your contracts and that

15:16.440 --> 15:21.720
is the point where, um, the league is coming to place because in the contracts, you can demand

15:21.720 --> 15:27.800
from your suppliers that they have to transmit the, the information relevant for the RA compliance,

15:27.800 --> 15:33.400
the documentation you need and all the stuff you want to get CRA ready. And if everything

15:33.400 --> 15:40.040
gets a bit messy and, uh, you're a suit by a third party, by a official, um, department,

15:40.040 --> 15:45.080
then besides this get the information in advance, you should already have liability clauses

15:45.080 --> 15:52.360
and indemnification clauses that you, as the, um, final manufacturer may be an open source or, um,

15:52.360 --> 15:59.240
a proprietary project, um, can transmit the, the costs and things you have to your suppliers,

15:59.240 --> 16:06.200
which, in the end, provided this fault. Okay, I see, so I need an lawyer with a good, uh,

16:06.200 --> 16:12.200
negotiation skills, um, but if I understood you correctly, if I get my own code on a control,

16:12.200 --> 16:18.520
if I get the code of my suppliers on a control, or at least have good, uh, contractual conditions,

16:18.520 --> 16:24.440
then I can just, finally press this fancy button you just mentioned, uh, and receive all the

16:24.520 --> 16:29.720
relevant information I can be asked for. Yeah, and from our point of view, if you performed

16:29.720 --> 16:36.040
all these, you know, not, not easy steps, um, let it the point where, um, compliance turns from

16:36.040 --> 16:41.720
obligation to an opportunity. So as a manager, I would say it doesn't really sound like an opportunity,

16:41.720 --> 16:50.360
because probably, um, it would cost a lot money and effort, um, but in the future, um, this effort

16:50.440 --> 16:55.400
is not only necessary, but from our perspective, it's a selling point, because all of your customers

16:55.400 --> 17:01.640
will in the future ask for the, uh, readiness and here are compliance, and if you come, um, transmit

17:01.640 --> 17:07.560
that with your, uh, purchase information, or after they ask, one or two minutes after the question is

17:07.560 --> 17:12.920
asked, that is a selling point, you won't miss. Okay, so from a manager point of view, probably,

17:12.920 --> 17:20.040
I can say, um, it's a product feature, and not only an enemy, I have to fight, and at this point,

17:20.680 --> 17:26.680
our drama is over and really, it's much back to our, to normal, to our normal rules, however,

17:26.680 --> 17:32.120
um, it was very helpful to try to switch the perspective, to understand the various and the

17:32.120 --> 17:40.440
fears our clients have, and, and to get a better understanding of them, um, and what we like to

17:40.440 --> 17:47.880
give you, and also our clients with, um, are some key takeaways, um, we learn during this process,

17:47.880 --> 17:53.480
and I think the main, main key takeaway is that first compliance is half the battle,

17:53.480 --> 18:00.040
um, where it comes to a clean, uh, vulnerability management, um, and that's why we believe, um,

18:00.040 --> 18:04.360
the topic for us will get more attention during the next years, and I mean, this is very,

18:04.360 --> 18:10.600
very good news for the open source community. Yeah, and that is one point I want to get a bit

18:10.600 --> 18:17.080
more in detail, because yesterday we heard a lot of, um, sessions regarding CRA and our my major,

18:18.120 --> 18:23.800
image, what we, um, here and, uh, the question that we're asked where that most of the open source

18:23.800 --> 18:28.840
developers feared the CRA, this big beast, um, they don't know how to handle, uh, what which

18:28.920 --> 18:34.280
application they have to, um, to fulfill and throw on, but to be honest, um, I think that is

18:34.280 --> 18:39.080
a wrong mindset. From my point of view, the CRA is opportunity for each open source developer,

18:39.080 --> 18:43.880
because, um, think the other way around, most of the manufacturers will have obligations to

18:43.880 --> 18:50.360
be fulfilled. The only way they can get the information to fulfill that is by asking the open source

18:50.360 --> 18:55.320
communities, open source developers, because most of their code is open source. On the other hand,

18:55.320 --> 19:02.440
from the CRA, there is no obligation that you have to transmit this information to them. Therefore,

19:02.440 --> 19:09.320
um, before the CRA, there was a bit of a situation from David Ruther's Goliath, you have this big

19:09.320 --> 19:14.920
companies, small open source developers, um, and they didn't care about open source to be honest.

19:14.920 --> 19:20.040
We visited in our practices all the day now, um, that open source is a nice topic, everyone wants

19:20.120 --> 19:25.320
a bit of compliance, but that's it. But now they have to issue, they have to care about open source

19:25.320 --> 19:32.120
compliance, and they have to ask you, therefore, two things are relevant from my point of view.

19:32.120 --> 19:37.560
The first thing is, um, they will invest a lot of money, hopefully, um, in the open source

19:37.560 --> 19:42.600
communities to get this CRA readiness, and the second thing is, um, you're on the trigger now,

19:42.600 --> 19:47.240
when you're the open source developer, and they need the information from you, demand what you want from them.

19:47.640 --> 19:53.640
Okay, I think that is everything we want to say for today, though, thanks every month,

19:53.640 --> 20:00.520
everyone for hearing, aloud, and listening to us, and yeah, we have five minutes left,

20:00.520 --> 20:03.640
so if there are any questions, point them out.

20:04.520 --> 20:23.240
Hello. So, um, when you talked about the relation between, let's say, business financing,

20:23.240 --> 20:29.320
and how open source developers fear the CRA, and the amount of work that entails,

20:29.480 --> 20:35.240
you're basically opposing big companies to open source developers, but there is also the open source

20:35.240 --> 20:40.920
companies, which are not big companies, they are open source communities that want to build an open

20:40.920 --> 20:47.000
source software and, um, make business out of it in a way that allows them to live and produce open

20:47.000 --> 20:53.560
source. I'm not sure what you mentioned about how the CRA applies, uh, applies to this situation,

20:54.120 --> 20:59.480
how, I mean, in this situation, the cost is to the same community in a way, would you comment on that, please?

20:59.480 --> 21:06.280
Yeah, um, the microphone is not the best, um, but you, if I was on a strength, the question correctly,

21:06.280 --> 21:12.520
it's about, um, when an open source community becomes the, the, uh, the deployer of the software

21:12.520 --> 21:18.760
and has to fulfill this specification of this year, is it correct? Okay, um, I think, hopefully,

21:18.840 --> 21:27.560
or the, the bad thing about this, there are not much, um, concrete rules and, um, playbooks from the,

21:27.560 --> 21:34.440
from the Inisa, the U Commission, or the, in Germany, the BSI, for example, um, to talk about

21:34.440 --> 21:39.240
who is only an open source duet, which is, I would say, the good position, because as an open source

21:39.240 --> 21:45.800
duet, most of the obligations are free. There are now fine, there are now, um, point the, the

21:45.880 --> 21:52.760
commissioner, or other departments can tackle you. Um, my whole will be in the future that the, um,

21:53.640 --> 21:59.160
the, the, the definition of open source duet and manufacturing, a manufacturer regarding

21:59.160 --> 22:05.000
that the software will form a bit more defined and each open source community should try to stick

22:05.000 --> 22:08.440
under the open source duet definition, because then they're good to go.

22:08.840 --> 22:23.880
Um, um, um, um, um, um, uh, question on, exactly the last point that you were just making. Um,

22:23.880 --> 22:29.160
every time I've looked, the U hasn't given much clear guidance, essentially saying. Sorry. Yeah,

22:29.160 --> 22:33.480
but, uh, my close, I'm, I'm closer to the microphone. Okay, uh, there we go.

22:34.440 --> 22:40.440
EU hasn't been particularly clear on whether me maintaining free open source project myself,

22:40.440 --> 22:46.120
kind as a manufacturer or not. Everything that you've just said says, essentially, I'm maintaining

22:46.120 --> 22:53.320
a thing. I put it under an unlicensed, good luck. Where are you hearing that from so that I can have

22:53.320 --> 22:57.080
to sleep a bit easier at night, because I'm worried that I'm myself. You mean that at an open

22:57.080 --> 23:03.000
source duet, you don't have that much obligations, or I, that I don't want to get sued,

23:03.000 --> 23:07.240
because someone gets hacked because of my weekend project that I released at a hackathon three

23:07.240 --> 23:11.960
years ago, but right now, I would kind of like, like, maintainer of that project.

23:14.520 --> 23:21.960
Okay, um, my issue with, um, I just wanted to, um, get the question a bit better.

23:21.960 --> 23:27.160
Though you're afraid of code that you have written years ago, and now you're the maintainer,

23:27.880 --> 23:33.240
or understood as still as maintainer of that code, and that someone comes and asks you to

23:33.240 --> 23:39.000
fulfill the obligation of this year. Uh, um, from my point of view, and the, the, the, the,

23:39.000 --> 23:44.120
the, the, they're unnot that much regulation, but yesterday was, well, the, um, what's the rhythm

23:44.120 --> 23:49.960
speakers from the BSI, for example, the German, um, and from the EU commission. And what they all

23:50.040 --> 23:55.240
pointed out is that they don't want to sue any open source developers, and that there are no,

23:56.280 --> 24:00.440
I would not say obligations, but, um, behind the obligations for open source duet, which

24:00.440 --> 24:09.000
are defined in 24, 25, here a, um, there is no rule set of finding these people, um, getting from

24:09.000 --> 24:15.160
the commission, um, uh, with a strict, uh, obligations to the open source to fulfill the specifications.

24:15.160 --> 24:20.200
Therefore, there are obligations, but they are, I would not call them them for free, but it's

24:20.200 --> 24:25.000
more of a guideline, how open source communities and stewards should support the manufacturers

24:25.000 --> 24:31.160
to fulfill their specifications, because to be honest, without that they're, they're lost in the end.

24:33.960 --> 24:38.680
So we have one more question from the chat. Thank you. Um, someone says they've implemented

24:38.760 --> 24:44.600
SBum generation for all of their packages, and they ask if you have tips on checking whether

24:44.600 --> 24:49.800
that's, uh, sufficient for compliance. Okay. I don't like that microphone. Can you just show me the?

24:56.920 --> 25:02.040
Um, you mean, uh, you mean, it is different for the compliance checking tools. Um,

25:02.040 --> 25:07.240
first of all, if you have, uh, an SBum generated from Tyklon DX, and that is something to be,

25:07.400 --> 25:12.280
sorry for that, but I'm the lawyer, not the technique in here. Um, I heard earlier today, um,

25:12.280 --> 25:18.600
there are already good two links to translate cyclone DX into the, I would say, here are

25:18.600 --> 25:24.840
ready, or licensed, compliant, led, uh, ready, SBums, and for the CRA, there are specifications

25:24.840 --> 25:30.280
from, um, the U commission and the BSI, for example, for Germany for licensed compliance,

25:30.280 --> 25:36.120
to be honest, um, we work with this every day. There are now specifications, what is necessary

25:36.280 --> 25:40.680
for a licensed compliance? The good thing is if you're working, I can work with the information,

25:40.680 --> 25:46.200
um, to evaluate all the relevant licenses, then it's good. And if you fulfill all the specifications

25:46.200 --> 25:52.680
of cyclone DX or SBDX, you're on a good way, um, to work with it, and for the first evaluation,

25:52.680 --> 25:57.800
as far as I know, all the open source tools we use, that is, or scan code, sociology,

25:57.800 --> 26:05.320
they all provide the SBums, um, in cyclone DX or SBDX, and they also fill the, the specifications

26:05.400 --> 26:07.480
that we can work with it.

26:08.680 --> 26:11.320
Fair to finish. Do we?

26:11.320 --> 26:15.880
Anika Florian. Many thanks for your offer, you.