WEBVTT 00:00.000 --> 00:11.480 Good morning, everyone. 00:11.480 --> 00:19.680 So this is our European Commission presentation about the Cyber Resilience Act, somehow 00:19.680 --> 00:27.760 reporting to the community about how we have tried to engage with you. 00:27.760 --> 00:34.760 In 2024, we gave also a talk called, the regulators are coming. 00:34.760 --> 00:39.800 Well, two years later, the regulators are here. 00:39.800 --> 00:41.000 My name is Philippe MorĂ£o. 00:41.000 --> 00:46.160 I am a policy officer in DG Connect in the CRA team. 00:46.160 --> 00:51.640 I'm joined on the stage, actually. 00:51.640 --> 00:55.040 I'm joined on the stage by Lucia Lampri from Sen. 00:55.040 --> 01:01.940 That's a European standardization organization, Luach Pursan from Etsy and other European 01:01.940 --> 01:04.080 standardization organization. 01:04.080 --> 01:10.080 And Carl Daniel Helfinger from the German BSI, who will be a market surveillance authority 01:10.080 --> 01:12.520 under the CRA. 01:12.520 --> 01:19.360 So in case some people are not yet very familiar with the CRA, we will cover some basics, 01:19.360 --> 01:24.240 and we will give you an update of where we are, what we've been doing, and how you can 01:24.240 --> 01:26.320 still get involved. 01:26.320 --> 01:32.080 I hope you can hear me well because the microphone is, okay. 01:32.080 --> 01:40.720 So in a nutshell, the CRA is asking manufacturers to remove vulnerabilities from their products 01:40.720 --> 01:43.200 before placing them on the market. 01:43.200 --> 01:50.480 It's nothing against Swiss cheese, it's just against vulnerabilities in products. 01:50.480 --> 02:00.240 And it uses the logic of EU product legislation with the C-marking to define horizontal 02:00.240 --> 02:07.480 requirements for products that apply in a risk-based way across the product lifecycle. 02:07.480 --> 02:14.160 That means also once the product has been placed on the market, manufacturers are asked 02:14.160 --> 02:17.320 to do vulnerability handling. 02:17.320 --> 02:23.040 It uses harmonized standards to help manufacturers comply. 02:23.040 --> 02:30.400 And the enforcement of the legislation happens exposed by market surveillance authorities. 02:30.400 --> 02:33.640 That's the general logic. 02:33.640 --> 02:37.080 The scope of the CRA is quite broad. 02:37.080 --> 02:45.200 It covers both software and hardware products, including the remote data processing solutions, 02:45.200 --> 02:51.000 the remote parts of our products more and more prevalent every day. 02:51.000 --> 02:57.280 There are some important exclusions, though, in particular, non-commercial products are excluded 02:57.280 --> 03:03.280 from scope, which of course includes all non-commercial open source. 03:03.280 --> 03:10.160 There's also an exclusion for standalone services, exclusively web-based websites, things 03:10.160 --> 03:11.160 like that. 03:11.160 --> 03:18.200 And there's also some sectoral exclusions, products that are regulated by other legislation, 03:18.200 --> 03:25.440 like medical devices, automotive, aeronautic marine equipment. 03:25.440 --> 03:32.200 The CRA, because it covers this broad scope, one of the things that really I think will 03:32.200 --> 03:37.280 do, is it will foster supply chain cooperation. 03:37.280 --> 03:44.040 It's really the first time that manufacturers essentially have to speak to their suppliers 03:44.040 --> 03:50.640 and to their downstream integrators in order to get more information about what's happening 03:50.640 --> 03:54.840 so that that will help them to comply more easily. 03:54.840 --> 04:02.880 So the CRA creates the conditions for large-scale cooperation along the supply chain. 04:02.880 --> 04:07.840 And the approach to open source, which I think is probably the most important slide today, 04:07.840 --> 04:15.200 is that only directly monetized open source products are subject to the CRA. 04:15.200 --> 04:20.080 That means only those that are being properly commercialized. 04:20.080 --> 04:28.880 If you just provide development and you charge for your time or for your resources, 04:28.880 --> 04:34.040 that might not even be a form of commercialization. 04:34.040 --> 04:39.600 If it's free and open source, we don't want to prevent you from doing your work. 04:39.600 --> 04:43.120 We don't want to put extra burdens on you. 04:43.120 --> 04:50.640 On the other hand, if you are providing support services, branding and placing this on the 04:50.640 --> 04:56.680 market and their trademark, then you are considered like any other manufacturer. 04:56.680 --> 05:02.800 Then the CRA also creates the open source steward, not anyone can be a steward. 05:02.800 --> 05:07.920 You have to be a legal entity, non-profit. 05:07.920 --> 05:13.480 And for those, it creates a kind of lightweight approach where steward's have to set out 05:13.480 --> 05:19.560 a policy basically kind of setting out best practices for a community. 05:19.560 --> 05:24.560 So this is the general logic of the CRA, and for us, the most important message is that 05:24.560 --> 05:29.800 the CRA does not regulate non-commercial open source. 05:29.800 --> 05:35.800 So for instance, all of the very useful tips that were provided by the previous speaker, 05:35.800 --> 05:42.680 all of those I think are much more useful for an open source company, an open source manufacturer 05:42.680 --> 05:45.120 who is in scope of the CRA. 05:45.120 --> 05:50.880 But if you are just an open source developer who is not commercializing your code, well, 05:50.880 --> 05:54.640 yeah, you can do those things and that might be good for the world, but you don't have 05:54.640 --> 05:55.640 to. 05:55.640 --> 05:58.880 And the CRA doesn't ask you to do them at all. 05:58.880 --> 06:04.120 That's, I think, a very important message that we wanted to remind everyone of. 06:04.120 --> 06:07.320 So anyway, quick point on the timeline. 06:07.320 --> 06:12.800 The CRA was adopted end of 2024, and we are in the transition period. 06:12.800 --> 06:14.560 That's a three-year period. 06:14.560 --> 06:19.800 We've been busy on standards, we've been busy on guidance, there's a CRA expert group. 06:19.800 --> 06:22.560 We're just a few details on that. 06:22.560 --> 06:27.960 The expert group includes open source representatives, it includes open source, the CMEs, 06:27.960 --> 06:33.880 it includes foundations, and we are quite happy with the variety of stakeholders. 06:33.880 --> 06:38.280 There's also been work that we have done in terms of implementing legislation with the 06:38.280 --> 06:43.160 technical descriptions of important and critical product categories. 06:43.160 --> 06:47.200 And there's being published, the CRA website with FAQs. 06:47.200 --> 06:51.720 So please check those out if you're curious to understand better about the legal reasoning 06:51.720 --> 06:54.880 behind the CRA. 06:54.880 --> 07:00.400 And coming up this next year, there will be more CRA guidance, in this case, it's a lot 07:00.400 --> 07:07.480 about the FAQs becoming more official guidance, including guidance on the definition of open 07:07.480 --> 07:12.360 source and the definition of open source stewards, notions such as the monetization or the 07:12.360 --> 07:13.640 commercialization. 07:13.640 --> 07:18.960 So a lot of the questions that you might still have about what is the nitty gritty details 07:18.960 --> 07:21.560 of when the CRA applies or doesn't. 07:21.560 --> 07:26.480 We hope that this will go a far way to answering those questions. 07:26.480 --> 07:31.800 But even if they don't, bear in mind, we see this as a living document that we will continue 07:31.800 --> 07:33.280 to update. 07:33.280 --> 07:37.920 We will continue to engage with the community, collect your questions, and try to answer 07:37.920 --> 07:39.920 them. 07:39.920 --> 07:44.560 There's also a study ongoing on voluntary security attestations. 07:44.560 --> 07:47.600 This comes from the CRA article 25. 07:47.600 --> 07:54.200 We hear a lot of interest from the community as a way of developing these attestations 07:54.200 --> 08:00.160 in a way that will actually support developers and manufacturers going forward on open 08:00.160 --> 08:01.560 source. 08:01.560 --> 08:07.080 And we are also working with Anisa, who will be setting up a single reporting platform 08:07.080 --> 08:13.400 because CRA reporting obligations, again, just for manufacturers, they kick in from September 08:13.400 --> 08:16.080 2026. 08:16.080 --> 08:18.160 There's a standardization request. 08:18.160 --> 08:20.120 It was adopted early last year. 08:20.120 --> 08:23.000 There's a lot of standardization effort has been going on. 08:23.000 --> 08:29.520 This image represents visually a little bit the architecture of the standardization request. 08:29.520 --> 08:33.640 And basically, there's a framework standard, some horizontal standards. 08:33.640 --> 08:38.680 And then the type C standards that you see at the bottom, these are product specific or 08:38.680 --> 08:44.240 product category standards that we'll be able to go into the details sufficiently to receive 08:44.240 --> 08:46.600 a presumption of conformity. 08:46.600 --> 08:51.400 That is the objective of harmonized standards. 08:51.400 --> 08:56.400 So participation of open source, how has this happened in the CRA? 08:56.400 --> 08:59.480 I tried to summarize that in this slide. 08:59.480 --> 09:03.360 Essentially, we heard you during the legislative process. 09:03.360 --> 09:08.160 The commission came out with a proposal, and maybe it was not as clear as many of you 09:08.160 --> 09:11.000 would have liked the exclusion on open source. 09:11.000 --> 09:13.960 So I think that that was improved in the text. 09:13.960 --> 09:16.880 Then during the standardization, we've made efforts. 09:16.880 --> 09:21.880 And we will hear a little bit more about that from the standardization bodies who are here. 09:21.880 --> 09:27.880 There is participation, even in the CRA expert group, there is participation for the development 09:27.920 --> 09:29.200 of guidance. 09:29.200 --> 09:34.000 And of course, we have some proactive engagement from the commission with the open source 09:34.000 --> 09:37.800 communities, case in point. 09:37.800 --> 09:40.600 So that's my part of the presentation. 09:40.600 --> 09:42.440 Thanks everybody for listening. 09:42.440 --> 09:46.640 I want to say that there are pins and stickers that have been floating around. 09:46.640 --> 09:50.280 So please come and collect your pins and stickers for the CRA. 09:50.280 --> 09:56.680 And then I will pass the microphone to Lucia for the sense-analytic part of the presentation. 09:56.680 --> 10:04.160 Thank you very much, Philippe. 10:04.160 --> 10:05.160 So I'm Lucia Lampri. 10:05.160 --> 10:06.760 I'm from Sen and Senelik. 10:06.760 --> 10:12.600 And we are two out of the three European SADization organizations. 10:12.600 --> 10:17.080 And we have members in third four countries, that's how we work, members base, country 10:17.080 --> 10:18.080 by country. 10:18.080 --> 10:23.720 So if you read your country here, probably you will see also the race representative. 10:23.720 --> 10:26.640 And then you can Google and you can read more about it. 10:26.680 --> 10:30.000 How to join, for example, underworld that they are doing. 10:30.000 --> 10:34.280 We are also working in many, many sectors, not only ICT, but a lot of sectors. 10:34.280 --> 10:42.000 We have over 90,000 experts in our network of experts and 482 technical bodies. 10:42.000 --> 10:45.880 So that was a little bit of facts and who we are. 10:45.880 --> 10:46.880 How we work. 10:46.880 --> 10:49.200 So we have expert working groups. 10:49.200 --> 10:52.080 We have experts nominated by the national members. 10:52.120 --> 10:56.720 So we have European partners, including the commission and an 10:56.720 --> 11:02.160 experience organizations that are in ICT, international level, affiliates, 11:02.160 --> 11:06.280 partners organizations and in particular for the cyber activities. 11:06.280 --> 11:09.520 We have received requests from the foundations. 11:09.520 --> 11:15.880 We have the Eclipse Foundation and the current request from the Linux Foundation. 11:15.880 --> 11:20.480 As it was mentioned in the pyramid that Philippe was showing, we have different technical 11:20.520 --> 11:21.320 bodies. 11:21.320 --> 11:26.360 So we are developing standards at the J13, 10cm, 224, 11:26.360 --> 11:28.880 10LX 47X and 65X. 11:28.880 --> 11:31.480 So those are the names of our technical bodies. 11:31.480 --> 11:33.600 We have a lot of technical bodies. 11:33.600 --> 11:38.200 And so if you want to know more, remember that slide of the pyramid that shows 11:38.200 --> 11:41.040 the structure of standardization request. 11:41.040 --> 11:43.480 So this is a very important slide. 11:43.480 --> 11:48.480 It's the final slide that I have before handing out the floor to my colleague. 11:48.520 --> 11:50.560 Where were we before in the past? 11:50.560 --> 11:54.680 So we come from a long-standing trusted system. 11:54.680 --> 11:57.480 The European standardization organizations and elect, 11:57.480 --> 12:01.040 it's from their side, they are a little bit different than us. 12:01.040 --> 12:04.280 And we were always based in the international frameworks. 12:04.280 --> 12:10.400 And we had then the decades of following the ISO and I seen international levels. 12:10.400 --> 12:14.640 And we were largely and long and known to the open source communities. 12:14.640 --> 12:17.360 And there they were also unknown to us. 12:17.360 --> 12:18.560 Where are we today? 12:18.560 --> 12:23.280 So we found that not only for the CRA, but the broader ICT context, 12:23.280 --> 12:28.920 the open source communities become more and more relevant to our work. 12:28.920 --> 12:33.320 So there is growing engagement to the open source foundations to us. 12:33.320 --> 12:35.800 But also we noticed that there are barriers. 12:35.800 --> 12:37.800 There are limited access. 12:37.800 --> 12:39.160 We have a cultural gap. 12:39.160 --> 12:40.880 I think this one is a very important one, 12:40.880 --> 12:44.200 because we see that there are different needs and languages 12:44.200 --> 12:47.320 from our stakeholders and from your communities. 12:47.320 --> 12:51.200 And now we're trying to shift towards a more agile development 12:51.200 --> 12:56.600 of our specifications, trying to incorporate different tools. 12:56.600 --> 12:59.440 And we identify the dissacrution moment, 12:59.440 --> 13:01.520 because the mutual learning has become. 13:01.520 --> 13:03.160 So this is good, not perfect. 13:03.160 --> 13:05.200 And where are we going now? 13:05.200 --> 13:08.800 We are trying to have a structured dialogue. 13:08.800 --> 13:12.120 And engage more with the open source communities. 13:12.120 --> 13:15.560 We're seeking input from our technical committees 13:15.560 --> 13:17.760 and trying to do experts interviews. 13:17.760 --> 13:21.440 I have my wonderful colleague, Jenny, who is handing out the stickers. 13:21.440 --> 13:24.280 He's helping us with collecting this information. 13:24.280 --> 13:28.240 And we are trying to prepare the ground for a stronger collaboration. 13:28.240 --> 13:31.920 And we are trying to engage management and different kinds of inputs. 13:31.920 --> 13:34.160 So this is where we are today. 13:34.160 --> 13:35.040 We are learning. 13:35.040 --> 13:37.320 We are wanting to hear from you. 13:37.320 --> 13:41.160 And this is in behalf of both Sensen and Eganetsi. 13:41.160 --> 13:45.640 We have multiple stakeholder involvement at events. 13:45.640 --> 13:48.120 And if you want to stay tuned, follow our events, please. 13:48.120 --> 13:50.880 And there is an any second, friends, also coming up in March. 13:50.880 --> 13:51.600 So thank you. 13:51.600 --> 13:52.960 And I give the floor to Laura. 13:52.960 --> 13:54.960 Thank you. 13:54.960 --> 14:00.200 Thank you, Lucia. 14:00.200 --> 14:02.200 Can you hear me? 14:02.200 --> 14:03.200 Yes. 14:03.200 --> 14:04.200 OK. 14:04.200 --> 14:08.280 So Etsy is also a European standardization organization. 14:08.280 --> 14:10.560 Together with Sensen and Alec, we have the task 14:10.600 --> 14:15.680 to develop the standards to implement the CRA. 14:15.680 --> 14:19.680 In Etsy, the stakeholders participate directly 14:19.680 --> 14:23.040 in the development of the standards. 14:23.040 --> 14:25.800 We are a non-for-profit organization. 14:25.800 --> 14:30.400 And our membership includes very diverse organizations. 14:30.400 --> 14:34.320 We have big industry players, but we also have SMEs, 14:34.320 --> 14:38.800 micro-enterprises, we have associations, academia, 14:38.800 --> 14:43.120 governments, and public bodies participating on an equal footing 14:43.120 --> 14:46.840 to the development of the standards. 14:46.840 --> 14:49.880 The membership is not limited to European companies. 14:49.880 --> 14:54.360 We have 900 members coming from 60 different countries. 14:54.360 --> 14:58.520 And maybe most importantly, to this audience, 14:58.520 --> 15:02.720 Linux Foundation, Eclipse Foundation, OSI, Mozilla, 15:02.720 --> 15:06.080 and many other companies involved in open source software 15:06.080 --> 15:09.880 development are our members, and they can nominate delegates 15:09.880 --> 15:14.640 to participate in the work of the technical groups. 15:14.640 --> 15:17.320 So you're welcome to join the technical groups 15:17.320 --> 15:19.080 to develop the standards. 15:19.080 --> 15:22.760 In order to implement the CRA standardization request, 15:22.760 --> 15:26.480 we created a specific group within a technical committee 15:26.480 --> 15:30.760 on cybersecurity and this group is named EUSR 15:30.760 --> 15:33.200 for EU standardization request. 15:33.200 --> 15:37.080 A good fast, because this is basically a specific technical group 15:37.080 --> 15:39.080 that we have created. 15:39.080 --> 15:41.320 And I come to the subject matter. 15:41.320 --> 15:47.040 In this group, we are developing a 17 and a 19 15:47.040 --> 15:49.640 bonus harmonized standards. 15:49.640 --> 15:51.400 So what are harmonized standards? 15:51.400 --> 15:54.840 There are technical specifications that translate 15:54.840 --> 15:57.840 the essential requirements of the regulation 15:57.840 --> 16:02.080 into a practical requirements that you can implement 16:02.080 --> 16:04.880 in your product, practical security measure, 16:04.880 --> 16:07.440 that reflect the state of the art. 16:07.440 --> 16:12.760 And also the harmonized standards include assessment criteria 16:12.760 --> 16:16.160 that can be used to verify in an objective manner 16:16.160 --> 16:19.080 that these technical requirements are met. 16:19.080 --> 16:22.360 You can see here the list of product categories 16:22.360 --> 16:25.160 for which we develop standards. 16:25.160 --> 16:26.680 There are 17 of them. 16:26.680 --> 16:27.680 I let you read. 16:27.680 --> 16:32.040 We have browsers, password managers, anti-virus, VPN, 16:32.360 --> 16:33.520 et cetera. 16:33.520 --> 16:38.160 I want to stress the fact that many of our reporters, 16:38.160 --> 16:41.720 meaning the people who are in the leading role 16:41.720 --> 16:45.000 to draft the standards, in fact, the majority of them 16:45.000 --> 16:47.960 are people coming from the open source community. 16:47.960 --> 16:50.040 And many of them are present in the room. 16:50.040 --> 16:55.040 So if you want to have a chance to exchange with them, please do so. 16:59.040 --> 16:59.920 That's my message. 16:59.920 --> 17:02.320 So you're welcome to talk to the reporters 17:02.320 --> 17:06.720 and you're also welcome to contribute to the standards. 17:06.720 --> 17:09.000 So how can you contribute? 17:09.000 --> 17:11.160 Throughout the startup development process, 17:11.160 --> 17:15.240 we've tried to follow a very open and transparent process. 17:15.240 --> 17:18.880 We have started open consultation back in November. 17:18.880 --> 17:22.000 And we have basically made our draft standards 17:22.000 --> 17:27.400 publicly available in an open area, as well as in a GitLab 17:27.400 --> 17:31.000 repository, since November. 17:31.000 --> 17:35.720 At this moment, we have mature drafts posted 17:35.720 --> 17:39.200 in the open area in GitLab. 17:39.200 --> 17:43.960 And we invite you to review those and to submit your comments 17:43.960 --> 17:45.080 in the GitLab platform. 17:45.080 --> 17:49.400 I will show the link on the next slide. 17:49.400 --> 17:53.880 The other thing we have organized together with Lucia 17:53.880 --> 17:55.120 deep dive sessions. 17:55.120 --> 18:00.440 But then over where we held basically webinars 18:00.440 --> 18:02.240 open to the public, weather reporters, 18:02.240 --> 18:05.360 where I'm explaining the content of the standards. 18:05.360 --> 18:08.560 And offering people the opportunity to engage. 18:08.560 --> 18:11.120 And these webinars have been recorded. 18:11.120 --> 18:15.560 And you can listen to them and replay. 18:15.560 --> 18:20.360 Another important point is the fast track base 18:20.360 --> 18:22.160 at which we are working. 18:22.160 --> 18:25.560 So the opportunity to comment on the draft standards 18:25.560 --> 18:29.320 is now between now and the end of March. 18:29.320 --> 18:31.840 Please submit your comments, please review. 18:31.840 --> 18:35.680 Because after that stage, the final drafts 18:35.680 --> 18:39.760 will go under a formula approval, the public and query 18:39.760 --> 18:42.360 that will be led by the national or standardization 18:42.360 --> 18:43.520 organization. 18:43.520 --> 18:45.480 So you will no longer have the opportunity 18:45.480 --> 18:47.760 to influence directly, but you 18:47.760 --> 18:50.080 will have to go through your national delegation 18:50.080 --> 18:51.600 to submit your comments. 18:51.600 --> 18:53.560 But comments will still be received, 18:53.560 --> 18:56.240 until roughly the middle of this summer. 18:59.560 --> 19:02.000 OK, so I think the main message was this. 19:02.000 --> 19:03.840 So please join us. 19:03.840 --> 19:06.280 Please take this opportunity to influence 19:06.280 --> 19:08.240 and contribute to the standards. 19:08.240 --> 19:11.600 You can read them at this link, 19:11.600 --> 19:14.160 where the QR code is pointing to. 19:14.160 --> 19:17.760 At this moment, we have 13 standards available there 19:17.760 --> 19:19.080 for you to review. 19:19.080 --> 19:22.040 Next week, there will be all 17 of them. 19:22.040 --> 19:24.120 So please do so. 19:24.120 --> 19:25.680 And we'll welcome your input. 19:25.680 --> 19:26.880 Thanks a lot. 19:26.880 --> 19:34.880 APPLAUSE 19:34.880 --> 19:35.880 Hi. 19:35.880 --> 19:43.680 So yeah, I first wanted to say thank you. 19:43.680 --> 19:45.720 You can unmute me? 19:45.720 --> 19:46.360 Excellent. 19:46.360 --> 19:48.080 So thank you. 19:48.080 --> 19:52.200 Thank you for pouring your heart into developing 19:52.200 --> 19:53.560 free and open source of fear. 19:53.560 --> 19:56.120 You sacrificed your time for the common good. 19:56.120 --> 19:59.240 You created digital building blocks of our society. 19:59.240 --> 20:00.320 And you helped build our future. 20:00.320 --> 20:02.840 So if you see that small temple in the right, 20:02.840 --> 20:04.880 in these bricks, it's written false. 20:04.880 --> 20:07.320 You can probably can't see that on the screen. 20:07.320 --> 20:10.520 And we appreciate this gift you're giving to a whole society. 20:10.520 --> 20:12.120 We want to say thank you. 20:12.120 --> 20:13.600 I heard that thank you. 20:13.600 --> 20:16.000 And we promise to see our able help here. 20:16.000 --> 20:17.760 We also know, birds are nice. 20:17.760 --> 20:19.200 Practical help is a lot better. 20:19.200 --> 20:24.080 So obligatory comic time. 20:24.080 --> 20:28.000 And this is intended to be a stick figure, carrying a huge rock, 20:28.000 --> 20:29.760 written with pressure and demands. 20:29.760 --> 20:31.880 And so is the series just in the burden? 20:31.880 --> 20:34.520 The final start to make you call laps and kill you. 20:34.520 --> 20:36.040 No, of course not. 20:36.040 --> 20:38.520 The series intended as your sword and shield. 20:38.520 --> 20:42.240 She'll shield you against demands against pressure, against obligations. 20:42.240 --> 20:43.640 And also your sword. 20:43.640 --> 20:46.800 So you can take that sword and force a seller 20:46.800 --> 20:50.040 of projective digital elements containing your project 20:50.040 --> 20:53.760 to give you the back fixes for free, of course. 20:53.760 --> 20:57.280 So because people have asked obligations 20:57.280 --> 20:59.920 of a non-commercial fear and open source software developers 20:59.920 --> 21:00.920 are zero. 21:00.920 --> 21:02.080 There are no obligations. 21:02.080 --> 21:05.640 You do not need to join any steward or whatever 21:05.640 --> 21:07.200 if your fear and open source developer 21:07.200 --> 21:10.560 not earning money with that and your out of scope of the CRA 21:10.560 --> 21:12.360 and everybody telling us something else 21:12.360 --> 21:14.440 can please go away and read the law. 21:16.800 --> 21:26.040 So next point, not even if somebody is using your project 21:26.040 --> 21:29.720 in their commercial project, that's their problem, not your problem. 21:29.720 --> 21:31.680 And you have no obligation for backfakes 21:31.680 --> 21:34.320 and software bill of materials, reaction time or whatever. 21:34.320 --> 21:36.800 You can just tell them, go away and by the way, 21:36.800 --> 21:39.000 at the investment page for this talk, 21:39.000 --> 21:41.360 there is a list of unofficial answers 21:41.360 --> 21:43.800 quoting the law why this is correct. 21:43.800 --> 21:46.080 So you can just copy and paste those answers. 21:46.080 --> 21:48.280 If anybody tells you, hey, you must do, 21:48.280 --> 21:51.160 you can just say, go away, not my problem. 21:51.160 --> 21:54.360 So next, writes of upstream fossil developers. 21:54.360 --> 21:57.200 The manufacturers using your project must report 21:57.200 --> 21:59.200 all vulnerabilities to you. 21:59.200 --> 22:01.360 They must give you their security fixes 22:01.360 --> 22:03.000 if they have any for free. 22:03.000 --> 22:05.200 Of course, it's the law. 22:05.200 --> 22:06.880 And the idea is to shift the burden 22:06.880 --> 22:09.080 from female open source developers to the manufacturer. 22:09.080 --> 22:11.280 Yeah. 22:11.280 --> 22:14.320 Sorry, I think this is a good one. 22:14.320 --> 22:17.200 So manufacturers, on the other hand, subject to CRA, 22:17.200 --> 22:19.840 they must report actively explosive vulnerabilities. 22:19.840 --> 22:22.680 They must report severe incidents, affecting products 22:22.680 --> 22:23.880 of digital elements. 22:23.880 --> 22:27.040 And everybody else has voluntary reporting. 22:27.040 --> 22:29.400 It's your choice if you do it or not. 22:29.400 --> 22:32.680 You can report pretty much anything, which is a problem. 22:32.680 --> 22:34.320 If it has security implications, 22:34.320 --> 22:36.680 and there's also the single reporting platform mentioned 22:36.680 --> 22:38.960 by Philippe, which makes it easier to report. 22:38.960 --> 22:41.240 So if you don't know how to contact your cybersecurity 22:41.240 --> 22:44.160 authority or authority elsewhere in the EU, 22:44.160 --> 22:47.360 you can use that single reporting platform. 22:47.360 --> 22:50.920 CRA, we, as BSI, are also market surveillance authority, 22:50.920 --> 22:54.400 which means we ensure 11-paying level paying field. 22:54.400 --> 22:57.400 That means in less than friendly worlds, 22:57.400 --> 22:59.840 you're taking the trash out. 22:59.840 --> 23:03.400 So anybody having a product which is trash, 23:03.400 --> 23:06.440 we won't have the level in playing field. 23:06.440 --> 23:08.400 We also, as a market surveillance authority, 23:08.400 --> 23:10.480 the support communication along the supply chain, 23:10.480 --> 23:11.920 the support fuel and open source developers, 23:11.920 --> 23:13.800 as much as we can, and also consumers. 23:13.800 --> 23:16.320 The manufacturers as well, so we're not anti-manfectures. 23:16.320 --> 23:17.880 You're going to help them as well. 23:17.880 --> 23:21.080 And we help you understand the CRA and exercise your rights. 23:21.080 --> 23:22.680 Next, please. 23:22.680 --> 23:25.000 So BSI is also cybersecurity authority. 23:25.000 --> 23:28.280 We have to maintain data to improve IT security for everybody. 23:28.280 --> 23:29.920 Even also for free and open source software. 23:29.920 --> 23:31.560 We are active in CRA, a sanitation, 23:31.560 --> 23:34.600 I myself am active in the operating systems standard, 23:34.600 --> 23:36.560 and food management standard. 23:36.560 --> 23:38.160 Sorry. 23:38.160 --> 23:39.840 We are also paying for security features 23:39.840 --> 23:41.360 and free and open source software, for example, 23:41.360 --> 23:43.320 document signing and we do outreach. 23:43.320 --> 23:47.200 And, well, admittedly, I'm also free of open source software 23:47.200 --> 23:49.360 developer and maintainer have been doing that 23:49.360 --> 23:50.960 for the last 24 years. 23:50.960 --> 23:53.360 So I know solving tech problems is easy. 23:53.360 --> 23:55.960 Getting paid or getting taken seriously 23:55.960 --> 23:58.840 or even getting supported is way more difficult. 23:58.840 --> 24:02.080 And I hope that the CRA will be that helping hand 24:02.080 --> 24:03.360 for those boring techs. 24:03.360 --> 24:05.560 Toss, thank you. 24:05.560 --> 24:10.160 Thank you.