WEBVTT 00:00.000 --> 00:11.480 Good morning, everyone. 00:11.480 --> 00:19.680 So this is our European Commission presentation about the Cyber Resilience Act, somehow 00:19.680 --> 00:27.760 reporting to the community about how we have tried to engage with you. 00:27.760 --> 00:34.760 In 2024, we gave also a talk called, the regulators are coming. 00:34.760 --> 00:39.800 Well, two years later, the regulators are here. 00:39.800 --> 00:41.000 My name is Philippe MorĂ£o. 00:41.000 --> 00:46.160 I am a policy officer in DG Connect in the CRA team. 00:46.160 --> 00:51.640 I'm joined on the stage, actually. 00:51.640 --> 00:55.040 I'm joined on the stage by Lucia Lampri from Sen. 00:55.040 --> 01:01.940 That's a European standardization organization, Luach Pursan from Etsy and other European 01:01.940 --> 01:04.080 standardization organization. 01:04.080 --> 01:10.080 And Carl Daniel Helfinger from the German BSI, who will be a market surveillance authority 01:10.080 --> 01:12.520 under the CRA. 01:12.520 --> 01:19.360 So in case some people are not yet very familiar with the CRA, we will cover some basics, 01:19.360 --> 01:24.240 and we will give you an update of where we are, what we've been doing, and how you can 01:24.240 --> 01:26.320 still get involved. 01:26.320 --> 01:32.080 I hope you can hear me well because the microphone is, okay. 01:32.080 --> 01:40.720 So in a nutshell, the CRA is asking manufacturers to remove vulnerabilities from their products 01:40.720 --> 01:43.200 before placing them on the market. 01:43.200 --> 01:50.480 It's nothing against Swiss cheese, it's just against vulnerabilities in products. 01:50.480 --> 02:00.240 And it uses the logic of EU product legislation with the C-marking to define horizontal 02:00.240 --> 02:07.480 requirements for products that apply in a risk-based way across the product lifecycle. 02:07.480 --> 02:14.160 That means also once the product has been placed on the market, manufacturers are asked 02:14.160 --> 02:17.320 to do vulnerability handling. 02:17.320 --> 02:23.040 It uses harmonized standards to help manufacturers comply. 02:23.040 --> 02:30.400 And the enforcement of the legislation happens exposed by market surveillance authorities. 02:30.400 --> 02:33.640 That's the general logic. 02:33.640 --> 02:37.080 The scope of the CRA is quite broad. 02:37.080 --> 02:45.200 It covers both software and hardware products, including the remote data processing solutions, 02:45.200 --> 02:51.000 the remote parts of our products more and more prevalent every day. 02:51.000 --> 02:57.280 There are some important exclusions, though, in particular, non-commercial products are excluded 02:57.280 --> 03:03.280 from scope, which of course includes all non-commercial open source. 03:03.280 --> 03:10.160 There's also an exclusion for standalone services, exclusively web-based websites, things 03:10.160 --> 03:11.160 like that. 03:11.160 --> 03:18.200 And there's also some sectoral exclusions, products that are regulated by other legislation, 03:18.200 --> 03:25.440 like medical devices, automotive, aeronautic marine equipment. 03:25.440 --> 03:32.200 The CRA, because it covers this broad scope, one of the things that really I think will 03:32.200 --> 03:37.280 do, is it will foster supply chain cooperation. 03:37.280 --> 03:44.040 It's really the first time that manufacturers essentially have to speak to their suppliers 03:44.040 --> 03:50.640 and to their downstream integrators in order to get more information about what's happening 03:50.640 --> 03:54.840 so that that will help them to comply more easily. 03:54.840 --> 04:02.880 So the CRA creates the conditions for large-scale cooperation along the supply chain. 04:02.880 --> 04:07.840 And the approach to open source, which I think is probably the most important slide today, 04:07.840 --> 04:15.200 is that only directly monetized open source products are subject to the CRA. 04:15.200 --> 04:20.080 That means only those that are being properly commercialized. 04:20.080 --> 04:28.880 If you just provide development and you charge for your time or for your resources, 04:28.880 --> 04:34.040 that might not even be a form of commercialization. 04:34.040 --> 04:39.600 If it's free and open source, we don't want to prevent you from doing your work. 04:39.600 --> 04:43.120 We don't want to put extra burdens on you. 04:43.120 --> 04:50.640 On the other hand, if you are providing support services, branding and placing this on the 04:50.640 --> 04:56.680 market and their trademark, then you are considered like any other manufacturer. 04:56.680 --> 05:02.800 Then the CRA also creates the open source steward, not anyone can be a steward. 05:02.800 --> 05:07.920 You have to be a legal entity, non-profit. 05:07.920 --> 05:13.480 And for those, it creates a kind of lightweight approach where steward's have to set out 05:13.480 --> 05:19.560 a policy basically kind of setting out best practices for a community. 05:19.560 --> 05:24.560 So this is the general logic of the CRA, and for us, the most important message is that 05:24.560 --> 05:29.800 the CRA does not regulate non-commercial open source. 05:29.800 --> 05:35.800 So for instance, all of the very useful tips that were provided by the previous speaker, 05:35.800 --> 05:42.680 all of those I think are much more useful for an open source company, an open source manufacturer 05:42.680 --> 05:45.120 who is in scope of the CRA. 05:45.120 --> 05:50.880 But if you are just an open source developer who is not commercializing your code, well, 05:50.880 --> 05:54.640 yeah, you can do those things and that might be good for the world, but you don't have 05:54.640 --> 05:55.640 to. 05:55.640 --> 05:58.880 And the CRA doesn't ask you to do them at all. 05:58.880 --> 06:04.120 That's, I think, a very important message that we wanted to remind everyone of. 06:04.120 --> 06:07.320 So anyway, quick point on the timeline. 06:07.320 --> 06:12.800 The CRA was adopted end of 2024, and we are in the transition period. 06:12.800 --> 06:14.560 That's a three-year period. 06:14.560 --> 06:19.800 We've been busy on standards, we've been busy on guidance, there's a CRA expert group. 06:19.800 --> 06:22.560 We're just a few details on that. 06:22.560 --> 06:27.960 The expert group includes open source representatives, it includes open source, the CMEs, 06:27.960 --> 06:33.880 it includes foundations, and we are quite happy with the variety of stakeholders. 06:33.880 --> 06:38.280 There's also been work that we have done in terms of implementing legislation with the 06:38.280 --> 06:43.160 technical descriptions of important and critical product categories. 06:43.160 --> 06:47.200 And there's being published, the CRA website with FAQs. 06:47.200 --> 06:51.720 So please check those out if you're curious to understand better about the legal reasoning 06:51.720 --> 06:54.880 behind the CRA. 06:54.880 --> 07:00.400 And coming up this next year, there will be more CRA guidance, in this case, it's a lot 07:00.400 --> 07:07.480 about the FAQs becoming more official guidance, including guidance on the definition of open 07:07.480 --> 07:12.360 source and the definition of open source stewards, notions such as the monetization or the 07:12.360 --> 07:13.640 commercialization. 07:13.640 --> 07:18.960 So a lot of the questions that you might still have about what is the nitty gritty details 07:18.960 --> 07:21.560 of when the CRA applies or doesn't. 07:21.560 --> 07:26.480 We hope that this will go a far way to answering those questions. 07:26.480 --> 07:31.800 But even if they don't, bear in mind, we see this as a living document that we will continue 07:31.800 --> 07:33.280 to update. 07:33.280 --> 07:37.920 We will continue to engage with the community, collect your questions, and try to answer 07:37.920 --> 07:39.920 them. 07:39.920 --> 07:44.560 There's also a study ongoing on voluntary security attestations. 07:44.560 --> 07:47.600 This comes from the CRA article 25. 07:47.600 --> 07:54.200 We hear a lot of interest from the community as a way of developing these attestations 07:54.200 --> 08:00.160 in a way that will actually support developers and manufacturers going forward on open 08:00.160 --> 08:01.560 source. 08:01.560 --> 08:07.080 And we are also working with Anisa, who will be setting up a single reporting platform 08:07.080 --> 08:13.400 because CRA reporting obligations, again, just for manufacturers, they kick in from September 08:13.400 --> 08:16.080 2026. 08:16.080 --> 08:18.160 There's a standardization request. 08:18.160 --> 08:20.120 It was adopted early last year. 08:20.120 --> 08:23.000 There's a lot of standardization effort has been going on. 08:23.000 --> 08:29.520 This image represents visually a little bit the architecture of the standardization request. 08:29.520 --> 08:33.640 And basically, there's a framework standard, some horizontal standards. 08:33.640 --> 08:38.680 And then the type C standards that you see at the bottom, these are product specific or 08:38.680 --> 08:44.240 product category standards that we'll be able to go into the details sufficiently to receive 08:44.240 --> 08:46.600 a presumption of conformity. 08:46.600 --> 08:51.400 That is the objective of harmonized standards. 08:51.400 --> 08:56.400 So participation of open source, how has this happened in the CRA? 08:56.400 --> 08:59.480 I tried to summarize that in this slide. 08:59.480 --> 09:03.360 Essentially, we heard you during the legislative process. 09:03.360 --> 09:08.160 The commission came out with a proposal, and maybe it was not as clear as many of you 09:08.160 --> 09:11.000 would have liked the exclusion on open source. 09:11.000 --> 09:13.960 So I think that that was improved in the text. 09:13.960 --> 09:16.880 Then during the standardization, we've made efforts. 09:16.880 --> 09:21.880 And we will hear a little bit more about that from the standardization bodies who are here. 09:21.880 --> 09:27.880 There is participation, even in the CRA expert group, there is participation for the development 09:27.920 --> 09:29.200 of guidance. 09:29.200 --> 09:34.000 And of course, we have some proactive engagement from the commission with the open source 09:34.000 --> 09:37.800 communities, case in point. 09:37.800 --> 09:40.600 So that's my part of the presentation. 09:40.600 --> 09:42.440 Thanks everybody for listening. 09:42.440 --> 09:46.640 I want to say that there are pins and stickers that have been floating around. 09:46.640 --> 09:50.280 So please come and collect your pins and stickers for the CRA. 09:50.280 --> 09:56.680 And then I will pass the microphone to Lucia for the sense-analytic part of the presentation. 09:56.680 --> 10:04.160 Thank you very much, Philippe. 10:04.160 --> 10:05.160 So I'm Lucia Lampri. 10:05.160 --> 10:06.760 I'm from Sen and Senelik. 10:06.760 --> 10:12.600 And we are two out of the three European SADization organizations. 10:12.600 --> 10:17.080 And we have members in third four countries, that's how we work, members base, country 10:17.080 --> 10:18.080 by country. 10:18.080 --> 10:23.720 So if you read your country here, probably you will see also the race representative. 10:23.720 --> 10:26.640 And then you can Google and you can read more about it. 10:26.680 --> 10:30.000 How to join, for example, underworld that they are doing. 10:30.000 --> 10:34.280 We are also working in many, many sectors, not only ICT, but a lot of sectors. 10:34.280 --> 10:42.000 We have over 90,000 experts in our network of experts and 482 technical bodies. 10:42.000 --> 10:45.880 So that was a little bit of facts and who we are. 10:45.880 --> 10:46.880 How we work. 10:46.880 --> 10:49.200 So we have expert working groups. 10:49.200 --> 10:52.080 We have experts nominated by the national members. 10:52.120 --> 10:56.720 So we have European partners, including the commission and an 10:56.720 --> 11:02.160 experience organizations that are in ICT, international level, affiliates, 11:02.160 --> 11:06.280 partners organizations and in particular for the cyber activities. 11:06.280 --> 11:09.520 We have received requests from the foundations. 11:09.520 --> 11:15.880 We have the Eclipse Foundation and the current request from the Linux Foundation. 11:15.880 --> 11:20.480 As it was mentioned in the pyramid that Philippe was showing, we have different technical 11:20.560 --> 11:21.360 bodies. 11:21.360 --> 11:26.360 So we are developing standards at the J310, 10cm, 224, 11:26.360 --> 11:28.840 10-legged 47-X and 65-X. 11:28.840 --> 11:31.480 So those are the names of our technical bodies. 11:31.480 --> 11:33.640 We have a lot of technical bodies. 11:33.640 --> 11:38.200 And so if you want to know more, remember that slide of the pyramid that shows 11:38.200 --> 11:41.080 the structure of standardization request. 11:41.080 --> 11:43.560 So this is a very important slide. 11:43.560 --> 11:48.440 It's the final slide that I have before handing out the floor to my colleague. 11:48.480 --> 11:50.520 Where were we before in the past? 11:50.520 --> 11:55.080 So we come from a long-standing trusted system, the European 11:55.080 --> 11:58.760 and the Asian organization, Sanilek, it's from their side. 11:58.760 --> 12:01.040 They are a little bit different than us. 12:01.040 --> 12:04.280 And we were always based in the international frameworks. 12:04.280 --> 12:10.400 And we had then the decades of following the ISO and I seen international levels. 12:10.400 --> 12:14.600 And we were largely and long and known to the open source communities 12:14.640 --> 12:17.320 and there they were also unknown to us. 12:17.320 --> 12:18.560 Where are we today? 12:18.560 --> 12:23.240 So we found that not only for the CRA, but the broader ICT context, 12:23.240 --> 12:28.920 the open source communities become more and more relevant to our work. 12:28.920 --> 12:33.320 So there is growing engagement to the open source foundations to us. 12:33.320 --> 12:35.840 But also we noticed that there are barriers. 12:35.840 --> 12:37.800 There are limited access. 12:37.800 --> 12:39.160 We have a cultural gap. 12:39.160 --> 12:42.480 I think this one is a very important one because we see that there 12:42.480 --> 12:47.320 are different needs and languages from our stakeholders and from your communities. 12:47.320 --> 12:52.880 And now we're trying to shift towards a more agile development of our specifications 12:52.880 --> 12:56.600 trying to incorporate different tools. 12:56.600 --> 13:01.520 And we identify the disequential moment because the mutual learning has become. 13:01.520 --> 13:03.240 So this is good, not perfect. 13:03.240 --> 13:05.200 And where are we going now? 13:05.200 --> 13:12.080 We are trying to have a structured dialogue and engage more with the open source communities 13:12.120 --> 13:17.760 we're seeking input from our technical committees and trying to do experts interviews. 13:17.760 --> 13:21.440 I have my wonderful colleague, Janice, who is handing out the stickers. 13:21.440 --> 13:28.240 He's helping us with collecting this information and we are trying to prepare the ground for a stronger collaboration. 13:28.240 --> 13:31.920 And we are trying to engage management and different kinds of inputs. 13:31.920 --> 13:34.160 So this is where we are today. 13:34.160 --> 13:37.280 We are learning, we are wanting to hear from you. 13:37.360 --> 13:45.600 And this is in behalf of us, both since the legacy, we have multiple stakeholder involvement at events. 13:45.600 --> 13:48.120 And if you want to stay tuned, follow our events, please. 13:48.120 --> 13:50.880 And there is any second friends also coming up in March. 13:50.880 --> 13:53.200 So thank you, and I give the floor to Laura. 13:59.200 --> 14:00.280 Thank you, Lucia. 14:00.280 --> 14:02.320 Can you hear me? 14:02.320 --> 14:03.560 Yes, OK. 14:03.560 --> 14:08.200 So Etsy is also a European standardization organization. 14:08.200 --> 14:15.640 Together with Sense and Alec, we have the task to develop the standards to implement the CRA. 14:15.640 --> 14:23.000 In Etsy, the stakeholders participate directly in the development of the standards. 14:23.000 --> 14:30.360 We are a non-for-profit organization and our membership includes very diverse organizations. 14:30.360 --> 14:35.800 We have big industry players, but we also have SMEs, micro enterprises. 14:35.800 --> 14:43.080 We have associations, academia, governments, and public bodies participating on an equal footing 14:43.080 --> 14:46.920 to the development of the standards. 14:46.920 --> 14:49.880 The membership is not limited to European companies. 14:49.880 --> 14:58.520 We have 900 members coming from 60 different countries and maybe most importantly to this audience. 14:58.520 --> 15:07.160 Linux Foundation, Eclipse Foundation OSI, Mozilla, and many other companies involved in open source software development. 15:07.160 --> 15:14.600 Our members and they can nominate delegates to participate in the work of the technical groups. 15:14.600 --> 15:19.080 So you're welcome to join the technical groups to develop the standards. 15:19.080 --> 15:25.240 In order to implement the CRA standardization request, we created a specific group within 15:25.240 --> 15:33.080 a technical committee on cybersecurity and this group is named EUSR for EU standardization request. 15:33.080 --> 15:38.040 A good fast because this is a specific technical group that we have created. 15:39.080 --> 15:41.240 I come to the subject matter. 15:41.240 --> 15:49.480 In this group, we are developing a 17 and a 19 bonus harmonized standards. 15:49.480 --> 15:51.240 So what are harmonized standards? 15:51.240 --> 15:57.720 There are technical specifications that translate the essential requirements of the regulation 15:57.720 --> 16:02.760 into a practical requirements that you can implement in your products, 16:02.760 --> 16:06.840 but practical security measure that reflect the state of the art. 16:07.400 --> 16:14.680 Also, the harmonized standards include assessment criteria that can be used to verify 16:14.680 --> 16:18.440 in an objective manner that these technical requirements are met. 16:19.000 --> 16:25.000 You can see here the list of product categories for which we develop standards. 16:25.000 --> 16:32.920 There are a 17 of them. I let you read, we have browsers, password managers, antivirus, VPNs, etc. 16:33.320 --> 16:38.040 I want to stress the fact that many of our reporters, 16:38.040 --> 16:43.000 meaning the people who are in the leading role to draft standards, 16:43.000 --> 16:47.880 in fact the majority of them are people coming from the open source community, 16:47.880 --> 16:49.960 and many of them are present in the room. 16:49.960 --> 16:55.240 So if you want to have a chance to exchange with them, please do so. 16:58.920 --> 17:02.280 That's my message, so you're welcome to talk to the reporters, 17:02.280 --> 17:04.680 and you're also welcome to contribute to this, then it's. 17:06.680 --> 17:08.040 So how can you contribute? 17:08.840 --> 17:11.080 Throughout the startup development process, 17:11.080 --> 17:14.280 we've tried to follow a very open and transparent process. 17:15.160 --> 17:18.760 We have started open consultation back in November, 17:18.760 --> 17:23.640 and we have basically made our draft standards publicly available 17:23.640 --> 17:28.280 in an open area as well as in a GitLab repository. 17:29.560 --> 17:39.080 Since November, at this moment, we have mature drafts posted in the open area in GitLab, 17:39.240 --> 17:45.000 and we invite you to review those, and to submit your comments in the GitLab platform, 17:45.000 --> 17:47.960 I will show the link on the next slide. 17:49.320 --> 17:55.000 The other thing we have organized together with Lucia are deep dive sessions, 17:55.000 --> 18:00.360 but then over where we have basically webinars, 18:00.360 --> 18:05.240 open to the public, weather reporters, where I'm explaining the content of the standards, 18:05.240 --> 18:07.880 and offering people the opportunity to engage. 18:08.440 --> 18:13.400 And these webinars have been recorded, and you can listen to them in replay. 18:15.400 --> 18:22.040 Another important point is the fast track pace at which we are working, 18:22.040 --> 18:26.600 so the opportunity to comment on the draft standards is now, 18:26.600 --> 18:31.640 between now and the end of March, please submit your comments, please review, 18:31.640 --> 18:37.560 because after that stage, the final drafts will go under a formula approval, 18:38.360 --> 18:43.400 the public inquiry that will be led by the National Authorities Organization, 18:43.400 --> 18:47.240 so you will no longer have the opportunity to influence directly, 18:47.240 --> 18:51.480 but you will have to go through your national delegation to submit your comments. 18:51.480 --> 18:55.960 But comments will still be received until roughly the middle of this summer. 18:56.040 --> 19:01.880 Okay, so I think the main message was this. 19:01.880 --> 19:08.040 So please join us, please take this opportunity to influence and contribute to the standards. 19:08.040 --> 19:14.040 You can read them at this link where the Kuroko is pointing to. 19:14.040 --> 19:19.000 At this moment, we have 13 standards available there for you to review. 19:19.000 --> 19:23.960 Next week, there will be all 17 of them, so please do so. 19:24.040 --> 19:26.040 And we'll welcome your input. Thanks a lot. 19:35.320 --> 19:40.760 Hi, so, um, yep, I first wanted to say thank you. 19:43.480 --> 19:50.040 You can unmute me? Excellent, so, um, thank you. Thank you for pouring your heart 19:50.680 --> 19:53.480 into developing free and open source of air. 19:53.480 --> 19:56.040 Use sacrifice, your time for the common good. 19:56.040 --> 20:00.200 You create the digital building blocks of our society and you help build our future. 20:00.200 --> 20:04.760 So if you see that small temple on the right, in these bricks, it's written false. 20:04.760 --> 20:06.520 You can probably can't see that on the screen. 20:07.160 --> 20:10.280 And we, we appreciate this gift you're giving to the whole society. 20:10.280 --> 20:13.480 We want to say thank you. I heard that thank you. 20:13.480 --> 20:17.400 And we promise the CRA will help you. We also know words on ice. 20:17.560 --> 20:23.880 A practical help is a lot better. So, um, um, obligatory comic time. 20:23.880 --> 20:27.880 And this is intended to be a stick figure carrying a huge rock, uh, 20:27.880 --> 20:31.800 written with pressure and demands. And so, is the CRA just in the burden. 20:31.800 --> 20:34.520 The final start to make you call laps and kill you. 20:34.520 --> 20:38.440 Note, of course, not. The CRA is intended as your sword and shield. 20:38.440 --> 20:42.200 Shell shield you against demands against pressure against obligations. 20:42.200 --> 20:46.840 And also your sword, so you can take that sword and force a seller of 20:46.840 --> 20:51.960 project with digital elements containing your project to give you the back fixes for free. 20:51.960 --> 20:56.440 Of course. Yeah. So, because people have asked, um, 20:56.440 --> 21:00.840 obligations of a non-commercial fear and open source software developers are zero. 21:00.840 --> 21:05.480 There are no obligations. You do not need to join any steward or whatever. 21:05.480 --> 21:08.520 If you're a fear and open source developer, not earning money with that, 21:08.520 --> 21:12.280 and you're out of scope of the CRA. And everybody telling us something else, 21:12.280 --> 21:14.040 can please go away and read the law. 21:17.320 --> 21:26.600 So, uh, next, uh, point, not even if somebody is using your project in their commercial 21:26.600 --> 21:31.560 project, that's their problem, not your problem. And you have no obligation for backfakes and 21:31.560 --> 21:36.040 software-built materials, reaction time or whatever, because just can tell them go away. 21:36.040 --> 21:38.840 And by the way, at the end of the first-name page for this talk, 21:38.840 --> 21:43.640 there is a list of unofficial answers, quoting the law, why this is correct. 21:43.640 --> 21:48.120 So, you can just copy-paste those answers. If anybody tells you, hey, you must do, 21:48.120 --> 21:54.280 you can just say, go away, not my problem. So, um, next, writes of upstream fossil developers. 21:54.280 --> 21:58.360 The manufacturers using your project must report all vulnerabilities to you. 21:59.160 --> 22:05.080 They must give you their security fixes if they have any for free. Of course, it's the law. 22:05.080 --> 22:09.080 And the idea is to shift the burden from female open source developers to the manufacturer. 22:09.080 --> 22:12.520 Yeah. I'm sorry, I think the skip one. 22:14.280 --> 22:18.920 So, manufacturers, on the other hand, subject to CRA, they must report actively exploit 22:18.920 --> 22:23.720 vulnerabilities, they must report severe incidents, affecting products of digital elements. 22:23.720 --> 22:28.360 And everybody else has voluntary reporting, it's your choice if you do it or not. 22:29.160 --> 22:31.480 You can report pretty much anything, which is a problem. 22:32.520 --> 22:36.680 If it has security implications, and there's also the single reporting platform mentioned by 22:36.680 --> 22:41.080 Philippe, which makes it easier to report. So, if you don't know how to contact your cybersecurity 22:41.080 --> 22:45.640 authority or any authority elsewhere in the EU, you can use that single reporting platform. 22:46.280 --> 22:53.320 Okay, CRA, we, as BSI, are also market surveillance authority, which means we ensure 11-paying 22:53.320 --> 22:58.840 level paying field. That means in less than friendly worlds, you're taking the trash out. 22:59.720 --> 23:06.280 So, anybody having a product which is trash, and we won't have the level playing field. 23:06.280 --> 23:10.360 We also, as a market surveillance authority, support communication along the supply chain, 23:10.360 --> 23:13.640 support field and open source developers, as much as we can, and also consumers. 23:13.640 --> 23:17.640 And manufacturers as well, so we're not anti-manfectures, you're going to help them as well. 23:17.640 --> 23:21.160 And we help you understand the CRA and exercise your rights. Next, please. 23:22.520 --> 23:28.040 So, BSI is also cybersecurity authority. We have to maintain to improve IT security for everybody. 23:28.040 --> 23:31.960 Even also for field open source. So, we are active in CRA, send a station, I myself, 23:32.040 --> 23:36.760 active in the operating systems standard, and boot manager standard. Sorry. 23:38.040 --> 23:41.240 We are also paying for security features and free and open source of fear, for example, 23:41.240 --> 23:46.840 document signing, and we do outreach. And, well, admittedly, I'm also free of open source, 23:46.840 --> 23:50.840 software developer and maintainer have been doing that for the last 24 years. 23:50.840 --> 23:55.880 So, I know solving tech problems is easy. Getting paid or getting taken seriously, 23:55.880 --> 24:01.240 or even getting supported is way more difficult. And I hope that the CRA will be that 24:01.240 --> 24:04.440 helping hand for those boring techs. Thus, thank you.