WEBVTT

00:00.000 --> 00:11.360
Time for the Cyber Resilience Act, so I'm introducing myself, so I'm all excited

00:11.360 --> 00:15.960
and I'm working for the Professor of the Foundation in Europe, as a policy program manager,

00:15.960 --> 00:23.680
and today I'm talking with Michael Schlossner, from the Federal Office for Information Security

00:23.680 --> 00:29.200
and the DSI, so the Bundesamt für Sicherheit in the Information Station Act, about our

00:29.200 --> 00:33.160
recent work on the Cyber Resilience Act, and then we will be joined by the tomato-body-uping

00:33.160 --> 00:39.880
commission for a round of Q&A, so we start as a short introduction on the Cyber Resilience

00:39.880 --> 00:45.600
Act, and our current questions we have, and then we open up the floor for a Q&A part

00:45.600 --> 00:49.520
where you can pretty much ask us everything.

00:49.520 --> 00:53.840
And as this, I'm heading over to Mr. Phil Slight.

00:53.840 --> 01:00.480
Thank you, so what we start with is giving a short introduction into the CIA, like what

01:00.480 --> 01:07.200
the goals are, and then what goals, especially for open source, are there, and then last year

01:07.200 --> 01:13.960
we did a project where we handed out a questionnaire to try to get as much information

01:14.040 --> 01:20.200
from developers, manufacturers, and possible stewards, I will say two or three words about

01:20.200 --> 01:26.920
the stewards in a minute, and where they see themselves and what problems they might have

01:26.920 --> 01:33.480
with the CIA, they might see that we can address that in possible guidance and in talks

01:33.480 --> 01:39.240
like this.

01:39.480 --> 01:47.720
What are the goals of this CIA? First, we all know that there are more and more vulnerabilities

01:47.720 --> 01:52.680
in software products, in hardware products, and in the products on the European market, in

01:52.680 --> 02:04.040
general, so the idea was to create something that secure software development becomes a normal

02:04.120 --> 02:13.240
part of creating new products. It wants to ensure that products software and hardware products

02:13.240 --> 02:19.000
with less vulnerabilities come to the market, and that manufacturers have to think about

02:19.000 --> 02:25.000
the vulnerabilities and the security of their products for the whole life cycle. So it's not just

02:25.000 --> 02:29.960
I develop something, then I'm happy being it on the market, and then I don't care anymore,

02:29.960 --> 02:38.440
they have to fix vulnerabilities when they arise in certain timeframes, and they have also to

02:38.440 --> 02:46.680
think about what happens with the product. Another very important goal is that the CIA also wants

02:46.680 --> 02:55.160
to give users the chance to get informed about the products they want to buy, so that they

02:55.240 --> 03:01.880
can make good decisions on buying secure products, so that's overall we raised the bar on

03:01.880 --> 03:10.280
security with all the products on the European market. So where are we now? The CIA answered

03:10.280 --> 03:21.080
into force in December 2024, so it's more than one year now where we are in a kind of transition

03:21.080 --> 03:27.960
phase, so the CIA has a three year transition phase, there are some obligations which start

03:27.960 --> 03:35.800
in September this year, so manufacturers have to report actively known, actively exploited

03:35.800 --> 03:42.360
vulnerabilities and severe incidents when they know them or when they could become aware of them,

03:43.240 --> 03:54.280
and for that the Anisa, the European cybersecurity agency, is working on a single reporting platform

03:54.280 --> 03:59.640
where then manufacturers can report their vulnerabilities, and from there they once go to

03:59.640 --> 04:06.680
Anisa, so that then gets an overview of the active exploited vulnerabilities and to the national

04:06.680 --> 04:13.320
service, so that they can do the coordinated vulnerability disclosure process.

04:16.200 --> 04:22.120
Doing the transition phase, right now there's a lot happening at standardization, so the European

04:22.120 --> 04:31.480
standardization organizations, they are in the process of developing certain product standards,

04:31.480 --> 04:37.960
and also some horizontal standards on risk assessments and how to do it, on vulnerability

04:37.960 --> 04:41.960
handling and what you have to do there, so there's a lot of work going on,

04:42.840 --> 04:51.160
then something we will talk about is that the CIA leaves the opportunity for open source

04:51.160 --> 04:58.840
adaptations, so that's something where we look if that can be used to attest, that's open source

04:58.840 --> 05:06.840
of where does comply to certain things to certain requirements, and that's something which is

05:06.840 --> 05:13.480
where we heavily discuss right now how that could work and what that could be, and there's also

05:13.480 --> 05:20.040
a lot about guidance going on, so there's guidance published by the European Commission on the

05:20.040 --> 05:27.000
EU website about open source, there's frequently asked questions document on there, so where

05:27.000 --> 05:32.600
you can get even more information on how to implement the CIA, how certain things should be

05:32.600 --> 05:40.200
interpreted in the CIA, and the guidance part is also still ongoing, so we are still in the process

05:40.200 --> 05:49.160
where people can give information give us their source, and then we can show a look how we can

05:49.160 --> 05:55.480
integrate it into guidance and what we can get out of that, and as it's pointed out here,

05:56.040 --> 06:02.920
in order to clarify a lot of things, we need information what are the main topics and the main

06:02.920 --> 06:09.400
questions out there, we need to address in the guidance, so the CIA has

06:09.960 --> 06:16.600
different roles, it's a product regulation, and one of the stakeholders bringing products

06:16.600 --> 06:24.120
onto the European market is the manufacturer, another one which is kind of new in the context of

06:24.120 --> 06:31.400
the CIA is distraught, so the steward is supposed to manage open source software, free and open source

06:31.400 --> 06:38.360
software, which is intended to be integrated into products, so that they also have some

06:38.360 --> 06:43.560
obligations about reporting vulnerabilities, but they don't have all the applications

06:44.120 --> 06:49.240
like a manufacturer, and one point which is very different between them, they can't be

06:49.240 --> 06:56.680
fine if they don't apply it to the obligations, and one exception, free and open source

06:57.480 --> 07:03.400
doesn't have to do anything in regards to the CIA, what we are talking about later is

07:04.280 --> 07:11.880
maybe there's an incentive to do something if they want, but all in all they don't have to do

07:11.880 --> 07:19.160
anything about the CIA if they don't want to, so what are the obligations and manufacturer

07:19.160 --> 07:26.840
has in regards to open source, the manufacturer is fully responsible for all the open source

07:26.920 --> 07:33.960
or the components he integrates into his product, and that includes all the free open source

07:33.960 --> 07:40.200
software, so it's his responsibility if there are vulnerabilities and there he has to do something

07:40.200 --> 07:47.720
to fix it, and he also has to do it again for the whole lifetime, he can't just take open source

07:47.720 --> 07:56.680
and then leave it at it is, he has to do something, two more things which are written down in the CIA,

07:56.680 --> 08:05.800
if a manufacturer becomes aware of a vulnerability, he must inform the developer or the maintainer

08:05.800 --> 08:14.440
of the open source project, and if he provides the fix, he also has to provide the fix to the

08:14.440 --> 08:19.080
project, they still can decide if they want to include it and want to do something with it,

08:19.160 --> 08:27.240
but manufacturers have to provide the fix, so are now over to all.

08:27.240 --> 08:35.000
Yeah, also since when the cyber resilience act was introduced, people already started to

08:35.000 --> 08:41.560
kind of work on this, and this is an interesting example from the kill project where I like

08:41.560 --> 08:48.200
a manufacturer just approached Daniel and said like, look, I looked in the CIA and you have no

08:48.280 --> 08:54.440
obligations, I have obligations, please help me, and they gave them a list of what they wanted to have,

08:55.400 --> 09:00.280
and also didn't offer any kind of money or resources in order to get this information,

09:00.280 --> 09:04.360
so we're just approaching Daniel to say like, look, we need this and this and this and this.

09:04.360 --> 09:09.240
And this is precisely what we do not want to see and what should not happen with the cyber resilience

09:09.240 --> 09:16.360
act, it's rather something where we do believe that if you do free software and like put it out to the

09:16.520 --> 09:22.840
world and it's then used by manufacturer, the manufacturer should have some like obligations

09:22.840 --> 09:27.640
and help you in order to get what he needs and not like that the project is then just like

09:27.640 --> 09:32.760
presenting everything for free and helps the manufacturer to get out a good product.

09:32.760 --> 09:38.920
So, and in this regard, we can go to the next slide, so we might get a leave you started a

09:38.920 --> 09:45.640
project like roughly a year ago, I think it was, and we tried to bring in some like first of all

09:45.640 --> 09:52.040
clarity to better understand the roles, but also more importantly to understand where people outside

09:52.040 --> 09:57.160
are, so what do they see and what do they think about the CIA and how it should like be

09:57.160 --> 10:02.360
lived in reality, what do they need and how should process this look for them. So that's why

10:02.360 --> 10:06.680
since we are both Germans in the Project Captain and Germany, this is also some volunteers from Germany

10:06.680 --> 10:10.680
that are also here in the room, so thanks for helping us during that year on this. We came up with

10:10.680 --> 10:17.080
a question in a survey where we basically wanted to have feedback from manufacturers, we also

10:17.080 --> 10:23.880
wanted to have feedback from foundations or the free software ecosystem, but also from stewards or

10:23.880 --> 10:28.840
potential stewards or people that might think that they want to be a steward or that they might want

10:28.840 --> 10:34.920
to do or that they think that they are a steward or people that have some other concerns about

10:34.920 --> 10:41.560
the cyber resilience act, so we also try to many address people that are kind of like familiar

10:41.560 --> 10:45.800
with the cyber resilience act, so they should have some at least some sort of experience around it

10:45.800 --> 10:50.760
and should know what they talk about, when they feel the service or was not about like quantity,

10:50.760 --> 10:56.680
but rather quality, and also we said nobody has to answer all the questions, so it's just like

10:56.680 --> 11:02.680
answer where you are like kind of familiar with or they see problems, and this resulted in like

11:02.680 --> 11:10.120
nearly 350 responses we got around 80 have been like filled completely, and this helped us really a

11:10.120 --> 11:18.280
lot in order to better understand how people look at the CIA and also helped us to spot projects

11:18.280 --> 11:24.120
and communities we weren't even aware of that they exist and how they do believe that they are

11:24.120 --> 11:29.960
affected by the cyber resilience act, so the survey helped us to bring in some clarity, but also

11:29.960 --> 11:37.640
to identify some their questions, maybe problems, and this was then also used to incorporate this

11:37.640 --> 11:43.320
in the implementation process, Michael just referred to what we've been talking about guidance,

11:43.320 --> 11:49.720
also there are some consultations where we pointed people on, and also since this questionnaire was

11:49.720 --> 11:55.880
mainly on the question like on roles and and steward and project, we also had some free fields

11:55.880 --> 12:00.280
and by that we figured out that there's even more that we should ask and this is what we are

12:00.280 --> 12:07.800
basically now going to talk about, and this is also one of these actual problems or like processes

12:07.800 --> 12:13.480
we try to address and it's on attestation, so and also what Michael already mentioned in the

12:13.480 --> 12:19.240
beginning, however so from what was also interesting to see from the questionnaire is that like

12:19.320 --> 12:27.160
only 50% of the people who answer to the questionnaire were like sure about their role,

12:27.160 --> 12:33.560
so 50% didn't knew what they are or how they will be regulated under the cyber resilience act,

12:33.560 --> 12:40.840
so that was a pretty interesting question and also a lot of questions were like being around

12:40.840 --> 12:47.880
like what is the threshold in order to like when is something commercial when are you considered

12:47.880 --> 12:55.160
to be maybe a manufacturer or what's the limit to be a steward, so what is with donations is

12:55.160 --> 13:01.400
there is certain level to donations you can receive maybe other forms of income rights or remember

13:01.400 --> 13:06.360
again the question from from the curl project, so what would happen if Daniel signs a contract and

13:06.360 --> 13:12.840
say look I'm helping you as a steward to fulfill your roles as a manufacturer and then you have some

13:12.840 --> 13:18.280
sort of income that's this then makes you maybe a manufacturer, so it's baller it's not but

13:18.280 --> 13:23.080
so these are the question people had and I do believe that this is something we have to address

13:23.080 --> 13:30.680
and should that should also then for example end up in guidance also many many projects,

13:30.680 --> 13:37.480
many containers develop us out there felt that they might be pressured in in future and that like

13:37.960 --> 13:44.680
manufacturers put some pressure on them to like be around and to do things that they do not want to

13:44.680 --> 13:50.440
do, so basically one of the most interesting feedback we got about that's why we also quoted it

13:50.440 --> 13:55.400
I like to do software engineering not management and I think this is also something which we should

13:55.400 --> 14:00.680
always keep in mind right so this is your resilience act should not like hinder people from doing

14:00.680 --> 14:06.120
software development because we are pushing them into management or other obligations that

14:06.200 --> 14:12.200
should not be the case and so and this is also why some people were fear that the quality of the

14:12.200 --> 14:20.600
project will be not that good in future since they have to spend time on other processes

14:20.600 --> 14:26.360
in order to like I don't know make that software better and also what we have seen and this is also

14:26.360 --> 14:32.120
super interesting also in light of the discussion on a dissertation but also on the on the

14:32.120 --> 14:38.760
Stewart concept and at all is that we see that many of that some projects get also financial

14:38.760 --> 14:46.440
support even from manufacturer these days but the financial support they get until now it's like

14:46.440 --> 14:51.080
far being lower than the costs they have right so and there's like it's not really balanced so

14:51.080 --> 14:56.200
to say and if you talk about this our resilience act and want the stewards to help the manufacturers

14:56.280 --> 15:02.520
or want them to come up with a dissertation we have to talk about the money so we have to make sure

15:02.520 --> 15:09.320
that there is like a proportionate amount of resources around for them so in order that they can

15:10.600 --> 15:18.120
help the manufacturers to get their products on the market so and all of this means that we

15:18.120 --> 15:23.640
are like basically talking about three like court topics at the moment they are also some

15:23.640 --> 15:28.120
some other debate but it's like on guidance this is also what we address in the very beginning

15:28.120 --> 15:32.200
then it's on standards or the ongoing standard decision process there's also some very nice

15:32.200 --> 15:37.640
much from the commission on the standard decision process so I grabbed this after the talk

15:37.640 --> 15:44.200
and then the attestation debate which we are just recently addressed here and where there's also

15:44.280 --> 15:49.480
like pretty much a clean paper at the moment and where we need to fill this with content and for

15:49.480 --> 15:54.040
this we have thought it's a good idea to do another survey so we are not the only ones that have

15:54.040 --> 15:59.320
this idea so they are also some more surveys out there but this is then what we are going to talk

15:59.320 --> 16:06.840
about in the next minutes yes so question what is the attestation there's article 25 describing

16:06.920 --> 16:13.480
the possibility for the commission to put something out how attestation for open source

16:13.480 --> 16:21.080
could work and the question is can that be used to finance open source a little balance the

16:21.080 --> 16:26.920
playing field that manufacturers are totally responsible for the stuff they put into their products

16:27.960 --> 16:35.560
can they support the ones who develop the stuff they put into their products so

16:36.360 --> 16:43.160
that's the one thing how can developers be or how we can help them and the other thing is

16:43.160 --> 16:51.480
what we want that manufacturers use open source as freely as they can and we know that open source

16:51.480 --> 16:58.120
is helping the security everywhere so we want manufacturers to use open source so it should be

16:58.120 --> 17:05.800
very easy for them to use it so we need to kind of balance we want to have the developers

17:05.800 --> 17:12.440
and we want to make it easy for the manufacturers to do it and the easy part for the manufacturer

17:12.440 --> 17:17.080
should be that they not bother the project but they just like can more or less like kind of like

17:17.080 --> 17:23.160
credit so and this is the question how to organize this yeah and maybe just pay for development time

17:24.120 --> 17:31.400
so what is going on the eclipse foundation has a project where they think about attestation

17:31.400 --> 17:40.600
and work out how the attestation can be can be used what the attestation can be that's also a

17:40.600 --> 17:48.680
question what is there to be attested and they've put a survey themselves I think this week

17:49.560 --> 17:57.240
and there are a lot of discussions and people can join those discussions and we encourage

17:57.240 --> 18:07.720
everybody to do so what we did with our survey was we want to see how small maintainers and developers

18:07.720 --> 18:15.800
which might not work with the foundation which might not work together with potential stewards

18:15.800 --> 18:23.800
or stewards how it could work for them and what ideas they might have in this process so that

18:23.800 --> 18:30.440
we don't only get something which works for foundations like Linux foundation or eclipse foundation

18:30.440 --> 18:37.400
we want something which also works for the small maintainers which just want to do software

18:37.400 --> 18:44.840
development instead of the management and we also again that's learning from our other survey

18:44.840 --> 18:50.040
we have a lot of free text in there so people can't just put a lot of stuff in their

18:50.040 --> 18:57.000
source in there and we even have a one catch all the last question is tell us everything you want to

18:57.000 --> 19:11.000
know so you can just leave your ideas in there so that's that the survey itself

19:11.960 --> 19:18.840
write us your ideas what you want in there and how you think this could work we have 27

19:18.840 --> 19:27.880
around 27 questions and again we are looking for your feedback and we'll use that to take it into

19:27.880 --> 19:35.080
the discussions on how we could make the attestation work so on this we have also some some

19:35.080 --> 19:40.280
sort of categories right so we already have some ideas how it could look like so we we already

19:40.280 --> 19:45.400
like give you something where you can give us some answers for example on the pricing or like

19:45.400 --> 19:49.800
who should issue the attestation how you can get attestations or they're also like in these

19:49.800 --> 19:55.960
questions already some idea in but if there's anything else like any ideas you might have that

19:55.960 --> 20:02.440
be do not address in this questionnaire please put this in so and every idea helps in order to

20:02.440 --> 20:08.120
get a better understanding how this process could look like and also I think it doesn't mean

20:08.120 --> 20:13.880
that there will be like just one way how to get attestation maybe there might be more and for this

20:13.880 --> 20:21.880
it's a good idea to like see and bring some clarity into this like how it maybe could look like

20:21.880 --> 20:26.040
so that doesn't mean that it will look like this afterwards but every idea helps us to better

20:26.040 --> 20:33.800
understand how this all could be made yeah so we have the link to the survey which has

20:33.800 --> 20:42.280
released today so from now on everybody can just answer and put the ideas in and also we put the

20:42.280 --> 20:49.960
link to the guidance on open source from the European Commission in there so that's also a good

20:49.960 --> 20:59.320
point to start on what interpretations towards open source is already in the CRA and how certain things

20:59.320 --> 21:08.680
are defined and from there you can also go to the FAQ section for the CRA which is a very large

21:08.680 --> 21:15.720
document I know that not everything is in there yet we're still working on some more guidance

21:15.720 --> 21:23.480
but it also helps to see what the CRA is meant for and how certain things look like in the CRA

21:23.480 --> 21:28.680
to give some more clarity so it's a good idea to first with the commission source and then go

21:28.680 --> 21:33.640
to the questionnaire and also it's I guess important to know the questionnaire will be open for

21:34.280 --> 21:41.160
one month so until the 28th of February you can as for everything what you have into this survey

21:41.160 --> 21:46.920
and then we close it to from the first of March on and then evaluate and also like share the

21:46.920 --> 21:52.200
results publicly but also then obviously the commission and market surveillance also here so

21:52.200 --> 21:55.800
this is also making something that people should know that Michael is working for such a market

21:55.800 --> 22:01.640
surveillance authority so we then also try to bring it into the process and not just like

22:01.640 --> 22:06.440
publish it but also try to make sure that these ideas then also like are reflected in the

22:06.520 --> 22:13.960
upcoming processes all right so with that we go over to the questions you might have

22:13.960 --> 22:19.000
yeah so this means first of all we want to message the join us here from the European Commission

22:19.000 --> 22:26.120
so this is a thing we have like a very good so to say panel here where you can ask as everything

22:26.120 --> 22:31.320
this means you can ask as general questions on the cyber resilience act but also on the topics

22:31.320 --> 22:36.440
which has recently addressed and I do believe we should be able to answer at least most of them

22:40.040 --> 22:45.480
I just so that I don't forget about that we have one question in the in the metrics channel

22:45.480 --> 22:51.800
when does inertia provide the APP definition for the single reporting platform is there any timeline

22:51.880 --> 23:00.040
waitable okay so we're going deep into serial implementation not really open source related so

23:00.040 --> 23:06.360
you I think Michael mentioned that there is an obligation to report actively exploited vulnerabilities

23:06.360 --> 23:12.040
and incidents that affect the security of your product and you report only once through a

23:12.040 --> 23:19.000
single reporting platform that is being established by Anisa now of course this is going to be quite

23:19.000 --> 23:24.200
a complex procurement procedure and it's to be operational by September of this year to to start

23:24.200 --> 23:28.760
the reporting obligations and it needs to be very secure because some of these information will

23:28.760 --> 23:33.160
be quite sensitive and through the single reporting platform the information gets sent to the

23:33.160 --> 23:40.920
national C-Series the API for the manufacturers in the first phase will not be available

23:42.520 --> 23:47.960
because we are focusing more on the security aspects and on making sure that the C-Series

23:47.960 --> 23:54.680
so that need to do the incident response have everything that they need and then in a second phase

23:54.680 --> 24:00.040
we might look into an API for automatizing reporting obligations from the development factor

24:00.760 --> 24:05.720
before I hand over to the next question maybe you can do a short introduction for yourself

24:05.720 --> 24:09.640
of course maybe should have started with that my name is Thomas Bernabuy and I'm one of the

24:09.640 --> 24:13.960
policy officers that is working in the European Commission on the implementation of the CRA

24:13.960 --> 24:17.560
writing the guidance documents and indeed following all these developments.

24:18.760 --> 24:25.320
Thank you. So I'm teaching a little bit by not asking a question but I'll give

24:26.040 --> 24:31.800
you mention the projects earlier what I really want to stress here for the open source people

24:31.800 --> 24:37.320
present here is that you can participate there it's entirely free it's entirely sort of like open

24:37.320 --> 24:40.840
to anyone there so just to dispel that the rumors there.

24:41.800 --> 24:48.680
Can I just add that obviously so the commission has procured services from the Clips Foundation

24:48.680 --> 24:54.200
and Nullpoint Studio to help with this development but we want this to work not just for the

24:54.200 --> 24:58.360
Clips Foundation we wanted to work for the individual developers that Michael was talking about

24:58.360 --> 25:02.600
for the small players so of course we also need your perspective and also Alex is I think

25:02.760 --> 25:04.600
that's a lot to it that.

25:06.280 --> 25:10.600
Hi there thanks for that I work in the embedded systems industry making connected devices

25:11.480 --> 25:16.600
I'm trying to follow and educate myself on this for quite some time I feel really confused

25:17.800 --> 25:23.400
I hear a lot about policy in the future and questions this is brilliant this is great we need

25:23.400 --> 25:29.160
involvement but I have timelines of commitments and I have to comply to those we have UKCE

25:29.160 --> 25:34.040
ready in force now I talked to my customers they've never heard of this I talk about

25:34.040 --> 25:38.760
security and they say I will do that later on I said we'll find but you are now legally obliged

25:38.760 --> 25:45.160
to do this have you heard about the CRA that they haven't I'm really concerned that we're in an

25:45.160 --> 25:50.600
industry where there's such little understanding of what we need to be doing and we're putting

25:50.600 --> 25:56.440
products out into the field for 10, 15 years and we've got to support those and I'm not sure

25:56.920 --> 26:02.600
as the person at the front end what I have to be doing and what I have to be saying to our

26:02.600 --> 26:07.800
customers I don't really know for a manufacturer or a manufacturer or am I a steward when I'm

26:07.800 --> 26:13.400
doing this because it might be used or I do stuff of fun what I'm not wearing and I'm quite worried

26:13.400 --> 26:18.760
about that and if there's if you could sort of direct to me to where I need to go and what I need to

26:18.760 --> 26:21.240
listen to to try to educate myself would be really pleased.

26:27.320 --> 26:41.400
um just one question was it medical devices because if they fall under the medical regulation

26:45.640 --> 26:54.680
okay yeah so I wanted to try to catch all and you're not

26:55.400 --> 27:03.320
under the CRA but if you have dual purpose products which might end up in a medical device but

27:03.320 --> 27:11.000
which might also end up in some other devices then you are you have to fulfill the CRA there are some

27:11.000 --> 27:16.840
guidance documents out there and we published as BSI also some guidance documents and we are

27:17.640 --> 27:23.960
still heavily developing those guidance documents on how you can do the risk assessment so

27:24.840 --> 27:29.800
the vulnerability handling requirements you have to do and you have to look what vulnerabilities

27:30.680 --> 27:36.440
can come to your product you have to um surveil them kind of and you have to fix them

27:37.880 --> 27:43.080
the main requirement or the other requirements on the products they are mainly risk based so

27:43.080 --> 27:48.040
it all starts with the risk assessment and then with the risk assessment you need to decide

27:48.920 --> 27:55.720
what do I need to implement how much I need to implement to have a secure product

27:55.720 --> 28:02.440
and that also depends on where it is used so for you probably might end up doing a bit more

28:02.440 --> 28:09.480
than a normal toothbrush but it all starts on the risk assessment and there is some guidance

28:09.480 --> 28:16.520
out there and we are still developing it on what you have to do there and that's also an opportunity

28:16.520 --> 28:22.120
to keep feedback if that works for you and where you still have questions and what will help you

28:22.120 --> 28:29.720
even more so we are also looking into that maybe just just to compliment because indeed obviously

28:30.600 --> 28:35.480
so as Michael was saying so medical devices are excluded from this CRA but indeed you might

28:35.480 --> 28:41.000
be caught in the scope I didn't quite understand what exactly you do but it is possible and of

28:41.000 --> 28:45.560
course we understand and we are aware that software has not been traditionally regulated so it's a new

28:45.560 --> 28:51.080
industry there needs to be a lot of awareness that's why we've started the website the FAQs

28:51.080 --> 28:55.400
which are a little bit chunky but you know it can they give you a bit of an overview of what you need

28:55.400 --> 29:00.120
to do realistically and I think the inside of my call was providing on the risk assessment this

29:00.120 --> 29:05.640
is really key start from what are your risks are you already following good secure by design

29:05.640 --> 29:10.200
practices are you already doing the things that you're supposed to be doing for a good software

29:11.080 --> 29:17.560
in most cases when we talk about people in the open source area they are already doing

29:17.560 --> 29:22.920
almost everything that they need to be doing so the compliance effort is also relatively limited

29:22.920 --> 29:27.000
so this is also very very important what we want is state-of-the-art secure coding

29:28.600 --> 29:36.280
secure design sorry secure by design practices and vulnerability handling and most cases you're

29:36.280 --> 29:42.920
already doing it you just need to show it in the most rate it and also I would like to add

29:43.720 --> 29:49.400
so try to identify your local or national active surveillance authority and go to them and

29:49.400 --> 29:59.480
chat now so I guess they happy to to get this questions so so that really I think it's a good idea

29:59.480 --> 30:03.960
to identify your national market surveillance authority yeah and to show how happy I am

30:06.440 --> 30:13.240
the first thing should be if you have an industry representative then go to them because they're

30:13.240 --> 30:19.560
looking into the stuff for three years now so they should I know that they do know a lot

30:19.560 --> 30:27.480
and I know that if you come to the right people they will help you they have lawyers who might

30:27.480 --> 30:33.800
address certain questions you might have which we can't we are not allowed to give legal advice

30:33.800 --> 30:40.280
on the CIA so sometimes if people ask us they're not where we satisfied with the answer we have

30:40.280 --> 30:48.680
to give them but you can approach us we can talk and also again your industry representatives

30:49.480 --> 30:54.600
they should know that you want something and that you need something and then they will help

30:55.400 --> 31:01.880
and they should help so we have another question here just quickly before so when you race your

31:01.960 --> 31:07.960
hand please keep it up else I will assume when you take it down that it was answered in the other

31:07.960 --> 31:13.960
question and beside that I will try to do the best to make sure that I have a sane order

31:15.960 --> 31:22.520
thank you what is your advice for a small business owner that is also leading an open source project

31:23.160 --> 31:31.560
and so it's both a manufacturer and possibly a steward and faces another company that is

31:31.560 --> 31:37.160
kind of free riding on your software and puts you in a responsible position to fix

31:38.360 --> 31:44.920
all the way downster if you're not or if you're not in the world of a manufacturer

31:45.880 --> 31:51.880
if you're just this you have for the manufacturer stuff if you bring a product on the European

31:51.880 --> 31:58.680
market with the CE label then you have to fill the CRA so you have kind of some obligations and

31:59.400 --> 32:05.240
manufacturers who integrate your products into their own and they know that you

32:05.240 --> 32:11.000
fulfill the CE and that you have to do vulnerability handling and that you have to comply to the

32:11.000 --> 32:17.720
essential requirements it's another thing if you have the role of a steward or just a maintainer

32:17.720 --> 32:25.960
then you don't have to do that much as a steward you have to you have to have as coordinated

32:26.040 --> 32:32.120
vulnerability or a vulnerability policy you have to work together with market surveillance if they come and

32:33.640 --> 32:40.840
ask you to do something then they can't they can't tell you what to do but you have to work with them

32:40.840 --> 32:49.160
together to find this solution and you have to report vulnerabilities in the open source components

32:49.240 --> 32:56.520
under your or your responsible for as a steward you don't have to do fix anything you don't have

32:56.520 --> 33:04.760
to do the vulnerability handling for the manufacturer the manufacturer has to support you into doing

33:04.760 --> 33:11.000
that because he's responsible for everything he puts in this product and he can't just say

33:11.720 --> 33:18.600
I integrated it now do something because I have the responsibility that there's not a vulnerable

33:19.640 --> 33:25.720
product out there he has to work with you and to get what he wants and to get a compliant product

33:25.720 --> 33:50.280
yeah if you're if you're as a manufacturer providing free and open source software then you're not a

33:50.280 --> 33:56.120
manufacturer for that free and open source software it the world is depending on the product that

33:56.120 --> 34:02.840
support a regulation for every product you put out there you have to assess what world you take

34:02.840 --> 34:09.240
so manufacturers don't just become manufacturers because they sell one product and then there are

34:09.240 --> 34:20.360
manufacturers for all the other products they have so let's let's go with the order because else it's

34:20.360 --> 34:25.560
difficult with the with the stream to people will not understand it so let's go with the order there

34:25.560 --> 34:33.160
and then we can also have the other back and forth later outside or when we have the time again

34:34.120 --> 34:42.440
hi my question is kind of related I have a company that supports with regulatory affair

34:43.240 --> 34:49.000
with our manufacturers but in my case most of my customers are importers so they are actually

34:49.000 --> 34:54.120
considered manufacturer but they didn't develop any of the software any of the hardware but they are

34:54.120 --> 34:59.960
the manufacturer and I have doubt about the economic sustainability for those people because

35:00.920 --> 35:05.720
they have to pay us so we are investing three years we're investing money in

35:06.440 --> 35:14.120
learning CRA and everything and they just don't have the budget to support to pay us for being

35:14.120 --> 35:21.320
compliant so most of what they are doing is decide to not comply okay and that's very common

35:21.320 --> 35:28.200
in many European countries that is you know not Germany and France or the big players okay

35:28.280 --> 35:38.120
just just be sincere we have customers all around the union and in particular I would say that

35:38.920 --> 35:45.880
it is already happened with some other projects from European Union we already made it clear that

35:45.880 --> 35:55.480
it was an issue there is already a phenomenon of non-complying producers and I fear it is going to

35:55.480 --> 36:01.480
happen again if the economic part is not addressed so what sort of opinion about that and

36:01.480 --> 36:07.560
which action you want to take since and no it is an own problem yeah I mean so of course it is

36:07.560 --> 36:13.400
an own problem in a lot of these regulated areas from sort of the NLF new legislative framework

36:13.400 --> 36:20.200
which is how market access basically legislation there are a lot of initiatives of you this

36:20.200 --> 36:23.480
is a little decommission to get away the market surveillance authorities put in place

36:25.080 --> 36:29.560
to address yeah importing goods from third countries that are not compliant

36:30.360 --> 36:35.400
there is no silver bullet of course it requires market surveillance authorities to work together

36:35.400 --> 36:40.600
and to do use a risk-based approach to make sure that they go and check where they know that

36:40.600 --> 36:45.560
there are likely to be non-compliances to avoid unfair competition from from companies

36:45.560 --> 36:48.840
maybe just to say that the importer doesn't assume the responsibilities of the manufacturer

36:49.160 --> 36:53.640
the responsibilities remain of the manufacturer but the importer should not and cannot place on the

36:53.640 --> 37:03.160
market products that are non-compliant and I see your face I could reply yeah would be buying

37:04.920 --> 37:10.600
but so I mean I don't have a well-perfect answer but I'm just saying that we obviously are aware

37:10.600 --> 37:14.840
and obviously CRA is not yet in in application so there's not actions that we're doing now

37:14.840 --> 37:19.720
but we're working with the market surveillance authorities to have a strategy on how to address all of that

37:23.000 --> 37:28.840
so I have a small consultants company my one person and I literally the same thing yeah

37:28.840 --> 37:34.520
but still it's slightly different so I make a software that I don't host myself don't even use

37:34.520 --> 37:42.040
myself but it's fun project that I have now some other company comes along in uses it thankfully

37:42.120 --> 37:49.960
it's an American company why shouldn't I put up a sign that says never use this software in the

37:49.960 --> 37:55.880
European Union you're not allowed to use it go away and is to get out of all the legal

37:55.880 --> 38:01.720
hassle what's the what's the good thing that comes with this why would you need to put that sign

38:01.720 --> 38:08.680
you if you're not really but if you're no monetizing it you're not I mean it's just something

38:08.680 --> 38:14.600
so the downstream integration by a manufacturer does not say anything about whether you

38:14.600 --> 38:20.520
are replacing a product on the market it is the responsibility of whoever takes your project

38:20.520 --> 38:26.360
and puts it in their product to ensure compliance now we've seen on the screen Daniel from

38:26.360 --> 38:30.760
Carol that is already getting annoying emails from manufacturers that have taken his project

38:30.760 --> 38:35.720
and put it into theirs you don't have a responsibility it is their problem what we want to do

38:35.720 --> 38:40.440
with the attestation project that that we were talking about earlier is to make sure that the

38:40.440 --> 38:47.080
company that takes your product pays you or comes back to you and says okay what do you need to

38:48.120 --> 38:55.320
ensure that this is sustainable and you could if you want give them an attestation that says I've

38:55.320 --> 39:00.520
done these these these these and that and therefore you can be sure that when you integrate it into

39:00.600 --> 39:06.840
your whatever downstream product you have certain assurances and you can fulfill your due

39:06.840 --> 39:11.320
diligence obligation but the fact that somebody who is a manufacturer takes your project

39:11.320 --> 39:16.200
puts it into their product has zero implications for you from a legal point of view

39:22.200 --> 39:27.800
just because you made something great doesn't mean it's a product in the sense of you put

39:27.880 --> 39:34.600
a product onto the European market so you've done something great and that's fine but somebody has

39:34.600 --> 39:40.680
to monetize it and put it onto the European market so there's also some guidance on what that

39:40.680 --> 39:46.040
means and just because somebody uses it you don't have to do anything even the attestation if you

39:46.040 --> 39:53.960
don't want to do any attestation then don't maybe put a sign somewhere that's like with sign

39:53.960 --> 39:58.840
use it on your own risk and you're responsible and I don't care what you do if you put it

39:58.840 --> 40:05.560
into a product which then comes to you when markets I think you I'm learning about the

40:05.560 --> 40:11.240
rate today so I'm a bit conflated I'm passionate about security but I can also hear the concerns

40:11.240 --> 40:19.160
about manufacturers around a possible virus to enter in the market right and maybe let's

40:19.160 --> 40:24.840
compare it to this right and although like it's not as well as if it's an episode's product

40:24.840 --> 40:29.880
is in the manufacturer at some point in the chain there is this barrier right but also based on

40:29.880 --> 40:34.600
there I also wanted to ask in terms of I heard about you know security design and secure product

40:35.480 --> 40:41.640
but it also depends on the purpose right which for software is very hard to determine ahead of time right

40:42.040 --> 40:48.600
and there's nothing they secure 100% so it's what's the right level of effort and how do we

40:48.680 --> 40:59.640
determine that again depends so if you are developer for free and open source software then you just

41:01.640 --> 41:11.160
I can say do what you want but I mean open source community tends to look on security

41:11.160 --> 41:17.320
bit more than other manufacturers might do and there are also a lot of manufacturers who do

41:17.320 --> 41:22.600
all this stuff they're not our problem the CIA is there to get this stuff out which doesn't

41:22.600 --> 41:29.640
comply and the manufacturer has due diligence obligations when he puts a component into his

41:29.640 --> 41:35.880
product so he needs to look at the component and he has to decide does it fit is it fit for the

41:35.880 --> 41:41.880
purpose I want to use it into my product and if it doesn't have certain security features he might

41:41.960 --> 41:48.440
need then he can't use it because then he might have to look for another component he can use

41:48.440 --> 41:56.280
which fulfills everything he wants okay and for the last months we're struggling with a

41:56.280 --> 42:02.280
question regarding who is manufacturer because the definition is who designs or let design

42:03.240 --> 42:09.720
product for himself but what if you're with a someone who's a supply chain have its own product

42:09.800 --> 42:15.080
with digital elements but he's only manufacturing for another bigger manufacturer and

42:16.120 --> 42:21.000
we are as a border when you fall under this I only design for another person who is then the

42:21.000 --> 42:27.240
manufacturer and when I'm the true manufacturer has to solve the obligations of under this

42:27.240 --> 42:33.640
CIA because this definition for design it on your own or let it design creates a lot of

42:33.640 --> 42:39.240
interpretation who is the manufacturer and this supply chain theory with you have two

42:39.240 --> 42:45.640
three or four different parties and supplying stuff for one product with digital elements even if

42:45.640 --> 42:51.320
there are many products which are itself products with digital elements in before in the supply chain

42:53.720 --> 42:59.320
if I'm just to correct the question the manufacturer is the person as in legal or natural

43:00.040 --> 43:05.400
the market is something under their own name or trademark right so if they hire you to

43:06.360 --> 43:10.840
develop a certain feature which then they integrate into their product and that's what they market

43:10.840 --> 43:16.600
they are the manufacturer then of course they might ask you to do certain things as part of hiring

43:16.600 --> 43:23.000
you so that ultimately their product is secure but you are not the manufacturer if you've just

43:23.000 --> 43:29.240
developed a feature for for a company let's say because you know marketing it under your name

43:29.240 --> 43:51.880
or trademark no it depends I mean it no this is not really corrected depends on what is

43:51.880 --> 43:57.880
that's basically the contract for relationship between you and this manufacturer are you actually

43:57.880 --> 44:02.920
supplying something as in are you are you supplying something to one two three four manufacturers

44:02.920 --> 44:07.800
are you just being hired by somebody that's a little bit the line that you need to walk on

44:14.360 --> 44:15.640
say that again sorry I couldn't hear

44:28.840 --> 44:48.840
maybe it helps there is the blue guide which can be downloaded also from the European website

44:48.840 --> 44:54.920
so I'm just Google Blue Guide and there's a definition and some guidance on what it means to

44:54.920 --> 45:01.720
put a product on the European market and because if you're not putting a product on the European

45:01.720 --> 45:13.480
market then you're not a manufacturer sorry can and based on the earlier questions I'm wondering

45:14.520 --> 45:19.240
whether there has been a shift in the definition of the manufacturer because I always understood

45:19.240 --> 45:26.040
in previous discussions from months years back that even as an open source software developed

45:26.040 --> 45:30.840
you would be a manufacturer as long as your solution is being just published but is that has

45:30.840 --> 45:35.480
that been shift and then when you develop the open source software you're not automatically

45:35.480 --> 45:41.320
a manufacturer where is that border between being an open source developer and being a manufacturer

45:42.200 --> 45:46.520
it was always said if you have make money based on the open source then you automatically

45:46.520 --> 45:53.240
become the manufacturer but here in your answers that seems to have shifted and I'm a bit confused

45:53.960 --> 45:59.960
if I just develop open source software put it on make it public I'm not a manufacturer but when I

45:59.960 --> 46:06.680
do consult this you're not how does that work has that to mean the cases you describe neither

46:07.480 --> 46:11.800
is a manufacturer right if you're just putting something in GitHub that you've developed

46:12.360 --> 46:17.560
and everyone can access it and download it then that's it you're not a manufacturer that's

46:17.560 --> 46:21.880
you're not monetizing directly the project you might have a separate consultancy service where

46:21.880 --> 46:27.640
you help manufacturers use it and install that product but that's separate it's not monetizing the

46:27.640 --> 46:33.880
product itself the the GitHub project it's a consultancy service so I don't I don't know if that's what

46:33.880 --> 47:02.040
you are getting at it yeah so the generally speaking so it's not generally speaking if even though

47:02.040 --> 47:06.760
the two things might be related because you might be you know you have the expertise because you

47:06.760 --> 47:10.600
are the person that developed if the product is placed on the market for free and

47:12.200 --> 47:17.880
freely accessible so it's free and open source yeah that would not be that's the way we're thinking

47:17.880 --> 47:25.160
about is that it wouldn't be a monetization yeah the thing is that if you put something out there

47:25.160 --> 47:31.720
and the customer can do everything himself might not have the knowledge but he if he acquired

47:31.720 --> 47:38.680
the knowledge to do it then he could do everything himself then you're providing something totally

47:38.680 --> 47:45.080
for free so everybody can use it just because you might have some more knowledge and you have a

47:45.080 --> 47:50.680
service to support someone to integrate it then that's your service you're doing you're not

47:50.840 --> 47:58.920
putting a product out there yes another question just I know it can be a bit disappointing

47:58.920 --> 48:04.440
when the speakers the people on the panel then can't answer the question completely but it's

48:04.440 --> 48:09.160
very difficult and this set up here to have a back and forth and between the first person asking

48:09.160 --> 48:14.200
the questions so let's try to then also have follow up questions with the people after the talk

48:14.840 --> 48:20.360
or then when it's the next time it turns and if I may as well just to say that of course

48:20.360 --> 48:25.480
you know we might not have all the answers but we also take the input and we reflect on it and

48:25.480 --> 48:30.280
I personally cannot commit to anything but you know internally we can work on the guidance that

48:30.280 --> 48:36.760
when once it's published it kind of commits the commission so all right so thanks for all the answers

48:36.760 --> 48:43.160
so far so if you have a large product as a manufacturer maybe have 10,000 open source components in there

48:44.120 --> 48:48.840
you need to hunt down all these adaptations but you need to under know your components first so you're

48:48.840 --> 48:55.480
dependency graph now I wonder in open source license compliance the components are legally defined

48:55.480 --> 49:02.280
so that's the discrete binary components but it's also separately the copy and paste in those components

49:02.280 --> 49:09.240
so for the CRA what's the component it's the discrete binary components you build into your product

49:09.320 --> 49:14.680
or is it also within those binary components copy and paste it's a legal question maybe it's

49:14.680 --> 49:23.880
a theoretical question but I would like to know the answer I'm not sure if I understood the

49:23.880 --> 49:30.200
question correctly but the manufacturer is responsible for everything in his product

49:31.240 --> 49:37.720
so if he puts in a component which also has other components he's still responsible for the whole

49:37.720 --> 49:51.400
product he puts on the market a question a little bit on financing open source developers because

49:52.280 --> 49:56.680
there's been some talk about yeah but we can't expect open source developers to start solving

49:56.680 --> 50:02.440
our problems for free and I think that's a completely legitimate question I think the word free

50:02.440 --> 50:08.040
and free and open source by the people who use it they tend to think I don't have to pay for it

50:08.760 --> 50:14.120
but free for us as open source developers mean that we still have sovereignty over our own time

50:14.120 --> 50:21.160
and we want to put our time into a hobby project that we might not even want to be paid to do something

50:21.160 --> 50:28.920
because if I make my hobby my work I have to find a new hobby so have you kind of thought about

50:29.000 --> 50:35.240
people who might I completely understand there are people they don't want to fix other people

50:35.240 --> 50:39.720
stuff for free and they should have a way to be remunerated that I completely understand but there's

50:39.720 --> 50:44.360
also a side of us who are like no I don't want your money I want sovereignty over my own project

50:44.360 --> 50:52.200
yeah then how do you how do you see that balance being given then when manufacturers then have to

50:52.200 --> 50:57.720
say okay then I'm not going to use that component anymore or can they still do it or how do you

50:57.800 --> 51:01.880
force someone to do work for you if they already have so much on their plate in their daily job

51:03.480 --> 51:09.880
the thing is again they're responsible for everything and if you don't want to do anything with

51:09.880 --> 51:16.600
the manufacturer you just want to do your own project then they can't force you there's no obligation

51:16.600 --> 51:23.480
for you to do something they can still use your component if then even if there's a vulnerability in

51:24.120 --> 51:29.560
they have to do something and see how they can fix that vulnerability or mitigate that vulnerability

51:29.560 --> 51:35.960
so it's their responsibility and through their due diligence they then have to decide

51:35.960 --> 51:43.880
can I use the project for what I want to do or maybe I need to look somewhere else and use another

51:43.880 --> 51:53.880
component so maybe also like you don't even have to answer these questions why so the

51:53.880 --> 51:58.920
current example again from Daniel so what we want or what's out there is you don't even have to

51:58.920 --> 52:04.680
react on this so if you do not want to do anything you do not have to do anything so but the manufacturer

52:04.680 --> 52:08.680
might go there and just fork your project so that might be the easiest solution for a manufacturer

52:08.680 --> 52:14.280
or just like to make sure that there's some like that you can fulfill the obligations point

52:14.280 --> 52:19.160
so but also another idea might be so if you do not want to be the steward and you do not

52:19.160 --> 52:24.120
want to have this in the action Mr. Manufacturer maybe the attestation could be some may out so

52:24.120 --> 52:30.680
that you do this once in like a specific way and then you say towards a manufacturer and you don't

52:30.680 --> 52:34.920
need to have to contact to the manufacturer that there is some sort of attestation and this is

52:34.920 --> 52:40.280
then how you can make sure that your project is still not fork but can be integrated so what we

52:40.280 --> 52:46.200
want to see is that there are many ways for in particular individual developers to decide if you

52:46.200 --> 52:50.280
want to interact to which extent you want to interact or if you do not want to interact at all

52:50.360 --> 53:06.840
okay my question is pretty basic what are the different roles which is recognized in CRA and

53:06.840 --> 53:12.840
the CRA and what are their duties and responsibilities because what is happening is that we are

53:12.840 --> 53:19.320
doing our own interpretation so it would be amazing to hear from the hostess mouth okay so

53:19.320 --> 53:28.200
it's a easy question not sure but no okay so indeed we did not really present the CRA but the main

53:28.200 --> 53:32.920
role is the manufacturer that's the entity that markets the product under the name of trademark

53:32.920 --> 53:45.080
and has the bark of the obligations so I cannot name names but in the context of open source you

53:45.080 --> 53:51.080
could imagine that there is a very famous company that does an operating system and that

53:53.640 --> 53:59.800
I am not naming names and that company would likely qualify for the definition of a manufacturer

53:59.800 --> 54:06.040
then there is a very famous foundation that has a lot of projects that also the commission is working with

54:06.680 --> 54:13.240
and they might qualify for Stuart role and then there is a lot of you in the room that just have fun

54:13.720 --> 54:20.360
I mean they also do it for a living but you are not like the very famous company that we mentioned earlier

54:20.360 --> 54:26.440
so the very famous company is the manufacturer the manufacturer is responsible for ensuring the

54:26.440 --> 54:32.280
product is designed according to the essential requirements of the CRA so before they place it on the market

54:32.280 --> 54:37.640
and after the placement on the market they're responsible for fixing the vulnerabilities that might

54:37.800 --> 54:45.080
emerge in the product as part of all of this they need to run what is called a conformity assessment procedure

54:45.080 --> 54:50.760
so they need to check and say okay how is this essential requirement related to cryptography

54:50.760 --> 54:55.960
how is it implemented in my product and they need to demonstrate that it's implemented and so on and so forth

54:55.960 --> 54:59.960
and they need to exercise crucially due diligence on the components that they take from elsewhere

55:00.840 --> 55:08.440
the stewards have a much lower regime they need to put in place a policy to make sure that the projects

55:08.440 --> 55:14.920
that they host and that they support follow secure by design practices and they need to the

55:14.920 --> 55:19.080
extent that they are involved directly in the development so that they have developers on call etc

55:19.080 --> 55:24.920
they need to report vulnerabilities that might emerge maybe you should then say these out loud

55:24.920 --> 55:30.760
there are no fines for failure to meet these obligations for the stewards so we rely on the good

55:30.760 --> 55:36.200
cooperation from them to do that then there are a bunch of other roles I mean there's the market

55:36.200 --> 55:41.080
surveillance authorities which are the national authorities at national level that are responsible

55:41.080 --> 55:48.120
to enforce the regulation and there are the computer security incident response teams of

55:48.120 --> 55:54.360
the member states that are also responsible for helping with addressing vulnerabilities when there

55:54.680 --> 55:59.400
is an emergency so that's a little bit the market the main architecture then you have importers you

55:59.400 --> 56:08.120
have other roles but these are the main the main legal figures yes I have another question

56:09.160 --> 56:17.320
as a manufacturer I am now responsible for the entire product but also everything that I am using

56:17.320 --> 56:22.840
so now I'm a little bit torn here because either I can go with open source and use that one

56:23.720 --> 56:30.440
but then I'm responsible for making sure that it's actually fixed so if I can convince the

56:30.440 --> 56:34.680
open source product to actually fix the bug if they don't then I have to fix it and that costs more

56:35.240 --> 56:41.320
man hours instead of money money is easier to get than man hours often but I'm also responsible for

56:43.160 --> 56:48.520
ensuring that if there are so I need to monitor all these open source products myself

56:49.400 --> 56:55.320
while on the other side I can go to a company and I can buy a license and then they are more

56:55.320 --> 57:02.440
responsible for giving me all the information so quite often we go and we buy things and then

57:02.440 --> 57:07.160
need to contract to say well you have to do all these parts and you have to monitor and make sure

57:07.160 --> 57:14.360
that the product is secure so now I would actually go more towards the commercial licenses because

57:14.440 --> 57:28.120
start it's easy for me yeah they take money definitely so it's the question or could be the question

57:28.840 --> 57:37.240
who wants more money and you're still responsible so the question is how much does that cost you

57:37.400 --> 57:43.720
instead of finding a way to support open source so if that's cheaper for you then

57:44.600 --> 57:50.920
business case maybe it's better to support them still get everything you want and the other question

57:50.920 --> 57:59.000
is looking at how much open source is used in all the products around the European market

57:59.560 --> 58:06.680
does that scale and is that even feasible are there enough manufacturers who can go and just

58:06.680 --> 58:12.760
replace all the open source we are using how can you believe in quality wise right I will

58:12.760 --> 58:18.600
be so sure that what you get on the license is better quality better security than a lot of

58:18.600 --> 58:28.360
the open source projects be baitable so he told me I should be quick so I'm working for a

58:28.360 --> 58:35.880
company we are producing semiconductors and with that devices controllers we also provide

58:35.960 --> 58:44.680
code examples like two three examples to showcase different functionalities so this is not like a

58:44.680 --> 58:50.600
finalized product someone could use but still he could use this code and implement it into his

58:50.600 --> 58:58.120
final and product what is your recommendation towards those code examples so what should we do

59:06.760 --> 59:12.760
so generally speaking I mean obviously I cannot offer legal advice to the specific case

59:12.760 --> 59:16.760
but it is unlikely that something like that would be considered as a product with digital

59:16.760 --> 59:23.000
elements placed on the market it's just simple code so it's most likely not going to be considered

59:23.000 --> 59:30.040
as a product therefore not subject to this year so we we will have some guidance on this topic

59:30.040 --> 59:36.760
coming out soon I'm sorry that we have to cut it now please join me in the big round of applause especially