WEBVTT 00:00.000 --> 00:11.160 All right, hi, everyone. My name is Tobi Nongen. I run a small consulting firm. In 00:11.160 --> 00:19.960 right now, I'm very focused on helping the Clips Foundation, implement the CRA, was the 00:19.960 --> 00:27.040 open regulatory compliance working group. So initially, I thought I was just going to be 00:27.040 --> 00:31.520 able to give you the same slide deck as I gave you this week, but then we decided 00:31.520 --> 00:36.240 to sort of like change the organization of today. So you still get to see the picture 00:36.240 --> 00:41.440 because I think the picture kind of like says a lot of things, but I kind of want to 00:41.440 --> 00:49.920 give you an update of where we at and how the open RSE is really dealing with this whole 00:49.920 --> 00:57.000 process. So I'll address like five topics, the key issues we've done the way, the consequences 00:57.000 --> 01:02.760 of those issues. I do have some good news. I'll give you a quick status update of what 01:02.760 --> 01:07.480 we're trying to fix. And then like some key learnings, which I think I use full for us, but 01:07.480 --> 01:14.920 just more broadly. So the key issues that we bumped into really quickly was a knowledge gap 01:14.920 --> 01:19.640 and an awareness gap. So first we really saw the knowledge gap because everyone was kind of 01:19.640 --> 01:26.360 like scrambling to figure out what the CRA thing was, you know, myself first. And secondly, you know, 01:26.360 --> 01:31.640 as we move through the year, we realize that like a lot of a lot of folks just like didn't even 01:31.640 --> 01:35.320 know the series was a thing or what it meant to whether it impacted them or not, right? 01:37.880 --> 01:44.040 The third issue that we really had is that open source is just unused to top them. 01:44.600 --> 01:49.640 We're used to like scratching our edge and getting together to do that, but they were essentially 01:49.640 --> 01:55.480 told by an external party, you have this edge to scratch and no one really knew what kind of 01:55.480 --> 02:01.080 edge it was or where was itching or felt the edge. So you know, that created like this kind of like 02:01.080 --> 02:07.640 lack of a sense of urgency that was really, really hard to go through. And then lastly, you know, 02:07.640 --> 02:13.400 there's a mismatch between a house software is built in general and how some of the institution 02:13.400 --> 02:18.520 in the EU are structured by no fault of anyone. This is just historically things about 02:19.080 --> 02:25.320 some institutions are way older than software and hence that adds a bunch of friction. 02:27.240 --> 02:32.680 The consequence is, well, I mentioned no sense of urgency already. The second point obviously is 02:32.680 --> 02:37.720 very few experts, right? I mean, the sheer fact that I'm the one running this thing, I mean, 02:37.720 --> 02:43.160 should like be a big tell, right? I'm scrambling. We're all scrambling to try to figure out 02:43.160 --> 02:52.360 this completely new field. And then the third point is sort of the ideal solution situation here 02:52.360 --> 02:58.520 would have been, you know, manufacturers coming to open source was clear requirements of, 02:58.520 --> 03:04.920 hey, we need to do due diligence, these are the things that we need. The problem is the open source 03:04.920 --> 03:10.680 system ecosystem is a little ahead of the curve here and the manufacturers really don't know 03:10.760 --> 03:14.600 what they need. So we have to kind of like figure out this together, 03:16.200 --> 03:24.040 you know, building the plane as we fly it. Good news. This is news for everyone, right? 03:24.040 --> 03:29.960 Everyone everywhere and every meeting that I've been in, whether it's in the institutions 03:29.960 --> 03:35.640 or whether it's, you know, in the standardization organizations, everywhere, we're, you know, in 03:35.640 --> 03:41.080 ourselves, we're trying to figure out this completely new thing that is regulating software. 03:41.960 --> 03:48.200 And so, you know, I think some of the outcomes of that is like show each other some empathy and some 03:48.200 --> 03:54.760 understanding. And that's also, you know, going to get us a long way faster. I mentioned this open 03:54.760 --> 04:00.280 source because the CRA encroached on open source and that kind of raised a panic, 04:00.360 --> 04:11.160 um, an important panic in the open source communities, um, we're just, you know, we feel like we're 04:11.160 --> 04:16.440 very far behind, but we're actually a little bit ahead of the curve here, which I find like really 04:16.440 --> 04:22.600 interesting. And then yeah, the last thing that I think is really important is everywhere, um, you know, 04:22.600 --> 04:27.400 despite seeing, seeing scrambling, I've also seen like a lot of willingness to collaborate 04:27.480 --> 04:32.520 and figure out ways to work together and to move forward. And so I think that's really, really, 04:32.520 --> 04:38.840 that's just really beautiful, so very happy about this. Um, so status update, um, I think we're closing 04:38.840 --> 04:43.400 the awareness and education gap. Well, at least we had like starting to have a sense of how to do this 04:43.400 --> 04:49.320 and we're starting to execute on this, which is really cool. Um, second thing is we're finding the 04:49.320 --> 04:54.920 right way to communicate because it's really difficult to just figure out how to, how to, where to talk, 04:54.920 --> 05:00.760 how to talk, uh, what to say, et cetera. Um, and then, you know, in the, in, or I see itself, 05:00.760 --> 05:05.000 I think we're identifying the right deliverables now. Uh, we're understanding, uh, we're understanding 05:05.000 --> 05:12.040 how to deliver them, went to deliver them and also to whom, right? Um, and so, my key learnings 05:13.320 --> 05:19.720 is the first thing is you have to do parallel tracks, right? There are a long term things that we 05:19.800 --> 05:25.160 want to fix. Uh, for example, like quite clearly the standards organizations, uh, the European 05:25.160 --> 05:30.040 standard organizations don't fit software very well, right? Can't fit this, we think we can 05:30.040 --> 05:34.840 cannot fix this for the CRA. We have to have a long view on this and there are mechanisms for this, 05:34.840 --> 05:40.600 there's a revision of 10, 25, et cetera. And we can be effective and do work there, but at the 05:40.600 --> 05:47.640 same time, we have to figure out real room and ways to work on the CRA now. So there's these two 05:47.720 --> 05:52.280 things that we must do on parallel. And I think it's super important all the time to try to 05:52.920 --> 05:57.880 figure out, like, okay, what's the long view here, like how can we work on the long view and what's 05:57.880 --> 06:04.120 what we need to focus on right now to solve this specific problem. Um, then, um, yeah, this is chaotic, 06:04.120 --> 06:09.320 but there are opportunities in chaos, right? We have to embrace it. Um, you know, and I think, uh, 06:09.320 --> 06:16.520 uh, a presentation was, uh, bored before really shows this. Like this actually, I think was really 06:16.600 --> 06:21.480 useful for a bunch of people who saw some really nice slides. In the past, you just see the whole 06:21.480 --> 06:26.120 thing again on a whiteboard was a completely different perspective. There's just a tiny example, 06:26.120 --> 06:32.200 but if it's chaotic, like, there might be, uh, things to get out of the chaos. Um, and then 06:32.200 --> 06:37.960 focus on best possible outcomes, right? Like, we're not going to get things perfect where, uh, let's 06:38.040 --> 06:45.720 not get lost in, um, in trying to make everything perfect. Let's try to make things, like, not bad. 06:46.280 --> 06:51.800 And that's, that's like a, that's a win, right? Um, and then lastly, and I think that's the most 06:51.800 --> 06:56.920 important, and I think this is why it's amazing to have all of you here. It's all of this is at the end, 06:56.920 --> 07:03.080 it's about, it's about people, um, and like the best way to fix and to make this work is to build 07:03.160 --> 07:08.040 bridges and work with others. So that's, like, really my, you know, if there's anything, I want to, 07:08.040 --> 07:15.080 you all to remember it's that last thing. Um, and that's it. Thank you. Uh, you can come in the 07:15.080 --> 07:31.080 help us, uh, uh, here. No, no, I know, I'm putting this away. 07:45.960 --> 07:53.100 then we then have all worked up with Toby is going to be leading. So, uh, 08:03.240 --> 08:08.280 between the lines, hello. 08:15.080 --> 08:20.080 We get involved, so they don't receive it for the flow, that's simply a thing there. 08:20.080 --> 08:22.080 Hello. 08:22.080 --> 08:24.080 Thank you very much. 08:24.080 --> 08:26.080 Thank you. 08:26.080 --> 08:28.080 Sorry. 08:28.080 --> 08:29.080 All right. 08:29.080 --> 08:34.080 What much does it be asked? 08:34.080 --> 08:37.080 Okay. 08:37.080 --> 08:41.080 And... 08:41.080 --> 08:46.080 So if we could finish off the rum change over quickly, that would be great. 08:46.080 --> 08:48.080 Do take a seat. 08:48.080 --> 08:51.080 There's two spaces in the middle there. 08:51.080 --> 08:53.080 You'll sit on the stair. 08:57.080 --> 08:59.080 Okay. You'll come behind. 08:59.080 --> 09:00.080 Hold it right here. 09:00.080 --> 09:01.080 Yeah. 09:01.080 --> 09:06.080 If you want to be on the video, you have to stand in this box here. 09:06.080 --> 09:09.080 I don't want to be on the video, that's why don't care. 09:09.080 --> 09:10.080 Okay. 09:10.080 --> 09:18.080 So this section is a panel, and the question that this panel is wanting to examine is what 09:18.080 --> 09:26.080 are the lessons that we've learned over the last year from taking forward the legislation 09:26.080 --> 09:29.080 that you're representing? 09:29.080 --> 09:34.080 So in particular, I'm fascinated to hear Philippe, what your experiences of working with the 09:34.080 --> 09:37.080 urban source community have been on what lessons you've learned. 09:37.080 --> 09:42.080 Clearly, you can see that it's made a big difference. 09:42.080 --> 09:49.080 And then I'm also interested to hear from your team, have you heard from the open source 09:49.080 --> 09:50.080 community? 09:50.080 --> 09:53.080 What lessons have you learned about open source this year? 09:53.080 --> 09:59.080 And Toby, if you could proxy the people who aren't here from the AI team at the commission, 09:59.080 --> 10:00.080 that would be great. 10:00.080 --> 10:03.080 But if you can't, don't worry. 10:04.080 --> 10:05.080 Okay. 10:05.080 --> 10:06.080 Sorry. 10:06.080 --> 10:13.080 So the first question to whichever you would like to take it is, your team came to foster them last 10:13.080 --> 10:14.080 year. 10:14.080 --> 10:19.080 Was it any use? 10:19.080 --> 10:22.080 Oh, yes, Mike. 10:22.080 --> 10:23.080 Oh, Mike. 10:23.080 --> 10:29.080 So I'm a big fan of stakeholder engagement, and I feel, so I like this concept of policy 10:29.080 --> 10:31.080 making us permaculture. 10:31.080 --> 10:36.080 And I think what that means is you need to plant things in advance so that when you're ready, 10:36.080 --> 10:40.080 when you need it, you can, you can sew them, you can collect the fruits. 10:40.080 --> 10:43.080 And I think stakeholder engagement is like that. 10:43.080 --> 10:45.080 It needs kind of a constant attention. 10:45.080 --> 10:50.080 It should be low maintenance, like any good permaculture garden, but you need to be there kind of regularly. 10:50.080 --> 10:51.080 So that it's ready. 10:51.080 --> 10:54.080 It's always fruiting throughout the year. 10:54.080 --> 10:58.080 And I think that's what we've been trying to do as much as possible with open source folks 10:58.080 --> 11:00.080 in a number of different ways. 11:00.080 --> 11:06.080 And so coming to foster them two years ago, and then last year, and then again, this year is a part of that. 11:06.080 --> 11:13.080 Another thing is that in general, for policy implementation, a lot of what is needed is a development of societal structures. 11:13.080 --> 11:19.080 And of course, it's really nice to have a very decentralized and a bit chaotic community going on. 11:19.080 --> 11:20.080 That's really important. 11:20.080 --> 11:25.080 But in order to facilitate top-down communication, which is also a part of life, 11:25.080 --> 11:28.080 it's necessary to have certain structures. 11:28.080 --> 11:36.080 And these structures need to be perhaps more dynamic if the ground is very chaotic, but they need to be there. 11:36.080 --> 11:42.080 And so I think that's also part of maturing and developing social structures, specifically for open source. 11:42.080 --> 11:50.080 But in general, for everything to do with product security, because for this year in particular, it's really the first time that product security becomes mandatory. 11:50.080 --> 11:56.080 I think in many ways, this is the same for my colleagues with platform regulation or AI regulation. 11:56.080 --> 12:05.080 And so I think it's really about how do we develop the social structures that are going to facilitate and support the dialogue of all social stakeholders. 12:05.080 --> 12:12.080 In order to help that to participate into the more high-level regulation processes. 12:12.080 --> 12:13.080 Thanks. 12:13.080 --> 12:17.080 How have you found it on the DSA team? 12:17.080 --> 12:21.080 How has your engagement with the open source community been? 12:21.080 --> 12:22.080 I wrote. 12:22.080 --> 12:26.080 So we are not very software-oriented. 12:26.080 --> 12:29.080 We are more in the functioning of the platforms. 12:29.080 --> 12:41.080 I will say, so it's more about transparency of the practices of the platforms and the data access. 12:41.080 --> 12:52.080 So I said that we, the DSA introduced many new data sources, like the advertisement repositories or, for example, the transparency reports, etc. 12:52.080 --> 13:00.080 We are also engaging with the community, so we already had, I think, if I'm not wrong, three open. 13:00.080 --> 13:01.080 Yes, sorry. 13:01.080 --> 13:17.080 We already had three open consultations for three of the implementing or delegated act that were, so the implementing the second level legislation that came with the DSA. 13:17.080 --> 13:22.080 One, it was for the data access. 13:22.080 --> 13:25.080 One was for the transparency data basis structure. 13:25.080 --> 13:38.080 So the schema to put and one here now, it's about the, so it was the taxes, transparency, and then there was a third one about the, 13:38.080 --> 13:42.080 the embedded researchers, for example, the definition of the researchers. 13:43.080 --> 13:49.080 So I think we are more engaged in with the civil society organizations, etc. 13:49.080 --> 14:04.080 Which are, yeah, let's say, checking or monitoring the effectiveness of, for example, of the take-down of illegal content or it's speech. 14:05.080 --> 14:15.080 But we are indeed, I mean, we are indeed meeting with the also open source foundation members, etc. 14:15.080 --> 14:26.080 Yeah, maybe we use a lot of open source in our day to day work as a wish show, and yeah, maybe. 14:26.080 --> 14:30.080 Have you had very much feedback on your thoughts in life? 14:30.080 --> 14:36.080 Yeah, I mean, it's not very popular yet, this data source, but we have some feedback. 14:36.080 --> 14:42.080 As I said, we are very open to any contribution from the also the word. 14:42.080 --> 14:49.080 I mean, it's there to for you to pull a push request, pull requests or our penishes. 14:49.080 --> 14:52.080 I don't know if you want to compliment. 14:52.080 --> 14:54.080 Yeah, I'm just a few bits. 14:54.080 --> 15:04.080 So it's a tool, we are at more engagement with the academic communities, resolution and open source so far. 15:04.080 --> 15:12.080 But open source and all the tools and the software is also like super useful for our daily enforcement work. 15:12.080 --> 15:22.080 And one aspect that I would highlight as well is we are providing quite a lot on food party, data, notifications, 15:22.080 --> 15:24.080 be it like CSS or researchers. 15:24.080 --> 15:40.080 And the fact that we can build tools in the open source is also a way to level up and to ensure that the practices from these communities. 15:40.080 --> 15:46.080 At the highest level and that we can like the data which is coming from these communities or from these built parties, 15:46.080 --> 15:55.080 be it like CSS or on journalist or researchers can actually be useful afterwards in the enforcement pipeline. 15:55.080 --> 16:02.080 Because we are built on robust software, robust methods and something that we can vote for. 16:02.080 --> 16:03.080 Thank you. 16:03.080 --> 16:06.080 So I've got a question here from the matrix chat. 16:06.080 --> 16:12.080 You would like to run into the matrix chat as far as this way to get it out. 16:13.080 --> 16:25.080 So in the matrix chat, pink out asks, is there a way to provide input on the fundamental choices related to the standardization process for the harmonious standards of the CRA, 16:25.080 --> 16:31.080 especially when it comes to the pitfalls of integrating the EUCC certification scheme? 16:31.080 --> 16:34.080 Sure, thanks for the complicated question. 16:35.080 --> 16:37.080 But I hope to have a simple answer. 16:37.080 --> 16:48.080 First, I think the CRA, the Cyber Resilience Act is the first legislation that covers all products with digital elements and what that has shown us when we look at existing frameworks of product security, 16:48.080 --> 16:55.080 is that underlying all of these products frameworks despite the market fragmentation of all these different frameworks and standards, 16:55.080 --> 16:59.080 at the end of the day, good security has the common set of practices. 16:59.080 --> 17:01.080 And it's actually always risk based. 17:01.080 --> 17:02.080 And that's really interesting. 17:02.080 --> 17:04.080 So you always start with your risk assessment. 17:04.080 --> 17:07.080 You always start with your security problem definition or your intended purpose. 17:07.080 --> 17:11.080 I mean, give it the name that you want, but this is how you have to start. 17:11.080 --> 17:16.080 So in order to, so what is a good standard? 17:16.080 --> 17:19.080 It's actually the same as what is a good protection profile or a good scheme. 17:19.080 --> 17:22.080 It identifies risks and it proposes mitigations. 17:22.080 --> 17:26.080 And I think from now on, my job is just going to repeat this whenever people have questions. 17:27.080 --> 17:28.080 Risks mitigations. 17:28.080 --> 17:29.080 That's all we need. 17:29.080 --> 17:30.080 That's all we're looking for. 17:30.080 --> 17:31.080 That's all anybody needs to give. 17:31.080 --> 17:36.080 So that's what I hope that we can all start thinking about very systematically and coherently. 17:36.080 --> 17:44.080 So having said that, the CRA, the Cyber Resilience Act also has provisions for, sort of, integrating the existing certifications, 17:44.080 --> 17:52.080 schemes, the EUCC, common criteria stuff into its regulatory fold by giving them also this so-called presumption of conformity. 17:52.080 --> 17:59.080 But again, the presumption of conformity would only apply to the extent that, for a given use case, the risks identified are correctly mitigated. 17:59.080 --> 18:04.080 So it's exactly the same reasoning from the standards and the protection profiles. 18:04.080 --> 18:12.080 So we're engaging with, with industry and which stakeholders both to develop the standards and to update existing protection profiles in their common criteria. 18:12.080 --> 18:15.080 So it's really sort of similar track even parallel track. 18:15.080 --> 18:20.080 In some cases, the protection profiles from common criteria can be updated as part of the standardization work. 18:20.080 --> 18:27.080 In other cases, the updating of protection profiles can happen separately and can then be sort of copy-pasteed into a standard. 18:27.080 --> 18:30.080 So it's really like very much sort of two sides of the same coin. 18:30.080 --> 18:32.080 The processes are going in parallel. 18:32.080 --> 18:38.080 If you're interested in common criteria, you can do exactly the same work as if you're interested in just the standards in general. 18:38.080 --> 18:39.080 Thanks. 18:39.080 --> 18:40.080 Thank you very much. 18:40.080 --> 18:43.080 There's a question from over here. 18:43.080 --> 18:50.080 Well, actually, I may, I give a statement in which I call an assistant. 18:50.080 --> 19:00.080 Because actually, when I call an assistant, you see. 19:00.080 --> 19:03.080 Yes, well, my name is Sebastian. 19:03.080 --> 19:10.080 I'm, well, I start, I do, I do free software longer than Linux exists. 19:10.080 --> 19:19.080 And I happen to be employed with Red Hat, which is one of these open source product development companies. 19:19.080 --> 19:32.080 So point here is that I see a broad misconception actually in the way that we talk about open source as something. 19:33.080 --> 19:52.080 Well, the misconception is that there is the community, the development part that is basically collaborative and opening up lots of opportunities for example for competing companies, but also for individuals to create something. 19:52.080 --> 19:58.080 And there is the other side, the consumption part, which is much bigger. 19:58.080 --> 20:04.080 And the problem that we are talking about, for example, with the cyber resilience, is mainly a consumption problem. 20:04.080 --> 20:14.080 It is that people do not understand how the open source, the open source, the source code software boils down. 20:14.080 --> 20:24.080 And tickles down the, the past to the consumers and the problem lies in the artifacts that these consumers typically use. 20:24.080 --> 20:27.080 And the release management and the patch management. 20:27.080 --> 20:33.080 And, you know, all this stuff that is in between the upstream and the consumption. 20:33.080 --> 20:43.080 And trying to regulate to solve the problem for, on the consumer side, by giving oblique making obligations to the communities. 20:43.080 --> 20:46.080 Simply doesn't work, this is the wrong address, see. 20:46.080 --> 20:55.080 And so the problem is that those that consume open source at large do not quite understand how this whole thing works. 20:55.080 --> 21:00.080 So at least this is my, my take of this whole story. 21:00.080 --> 21:06.080 And so yeah, well, I think this should be addressed somehow. 21:06.080 --> 21:21.080 And even if we go to the, to the, to the AI, and the question, what open source AI is, this is, if we, if we get the better understanding of the, of the consumption and the creation part. 21:21.080 --> 21:29.080 So contribution into those models, having those companies that provide the stuff. 21:29.080 --> 21:33.080 Open to, you know, for, for actually cooperation and contribution. 21:33.080 --> 21:37.080 This is the point that makes this whole thing open source. 21:37.080 --> 21:52.080 So do you have, well, is there, is there any idea, do you, do we have plans to enter the notion of, the, the consumption, the artifact release management part into these whole stories. 21:52.080 --> 21:53.080 Thank you. 21:53.080 --> 22:01.080 Hey, thanks for the question. 22:01.080 --> 22:10.080 So in general, the cyber resilience act puts responsibilities on the manufacturers or developers, but it's actually part of a bigger picture of shared responsibility. 22:10.080 --> 22:13.080 I wrote that on the, on the board while you are asking your question. 22:13.080 --> 22:22.080 So it's, so you can see it, for instance, in conjunction with other legislation that put specific risk management obligations for instance on certain critical users. 22:22.080 --> 22:26.080 The critical infrastructure owners, that's the NIS directive. 22:26.080 --> 22:38.080 And in general, I very much agree with the idea that, you know, there's a huge space between the developer and the end user and all of this space needs to kind of start to mature. 22:38.080 --> 22:41.080 The communication needs to be structured to make it efficient. 22:41.080 --> 22:49.080 And that is kind of what I was saying in my initial statement that to implement the legislation, we need the social structures to be in place. 22:49.080 --> 22:57.080 Some of that are more regulatory, others are not fully regulatory and that can be a good thing that civil society can just respond in an effective way. 22:57.080 --> 23:04.080 But for the CRA in general, there's a lot of emergent benefits because it covers the whole supply chain. 23:04.080 --> 23:12.080 Everybody has to respond at their respective level. Everybody just has to listen to the level below for the level above. 23:12.080 --> 23:18.080 And that way is kind of sort of reduced scope to what everybody has to do, but if everybody does that and everybody does have to do that under the regulation. 23:18.080 --> 23:22.080 Then you're going to have the big picture and those emergent effects can already happen. 23:22.080 --> 23:28.080 I've been calling for exactly what you're saying for the people who are standardizing these horizontal standards. 23:28.080 --> 23:33.080 Tell them, please notice that the CRA covers the whole supply chain. 23:33.080 --> 23:44.080 We need to facilitate, we need to produce the frameworks that are going to facilitate the communication across the whole supply chain so that this is easy and simple for everyone. 23:45.080 --> 23:50.080 And they struggle, I have to say, it's very abstract for them, it's very high level. 23:50.080 --> 23:53.080 But okay, we're getting there after a year and a half, it's becoming clearer. 23:53.080 --> 24:01.080 I've been talking about this notion of risk levels as a way of defining certain kind of categories of use cases and to communicate that throughout the supply chain. 24:01.080 --> 24:06.080 This piece of software is, you know, secure for low risk use cases only. 24:06.080 --> 24:09.080 So if you have a high risk use case, you shouldn't use this piece of software. 24:09.080 --> 24:13.080 You can use other piece of software that sort of discover high risk use cases. 24:13.080 --> 24:20.080 That would be a simple way in my imagination that you could perhaps sort of start to structure the communication across the supply chain. 24:20.080 --> 24:25.080 It's just an example, it's not like law, but, you know, we need to develop those market practices. 24:25.080 --> 24:31.080 We need to develop that social structure that will facilitate and all of that communication. 24:31.080 --> 24:32.080 Thanks. 24:33.080 --> 24:43.080 I do not know where the NGA level, but it's a corporate level. 24:43.080 --> 24:44.080 Yeah, I know. 24:44.080 --> 24:45.080 Consumers are corporate. 24:45.080 --> 24:52.080 So the social structure is industrial is public sector is corporate. 24:52.080 --> 25:00.080 So as I said, right, there's actually legislation giving cybersecurity risk management obligations to all of the critical corporations and entities. 25:00.080 --> 25:07.080 And yeah, I don't think the CRA applies to all of the steps of the supply chain, knowing that almost all of them are corporate. 25:07.080 --> 25:12.080 In fact, all of them are corporate because the non-commercial local consort is fully excluded from the CRA. 25:12.080 --> 25:15.080 So, you know, actually all of them are corporate. 25:15.080 --> 25:18.080 So we're running to the end of the session here. 25:18.080 --> 25:25.080 I've got one more question that is actually completely different place to that, which maybe Toby would get us started with. 25:25.080 --> 25:30.080 So we've had a question in the RC from Teaspoon RC. 25:30.080 --> 25:42.080 Is it possible if not too complicated for a new be in the area to have an explanation of how the CRA actually works in practice? 25:42.080 --> 25:49.080 So for example, as an engineer, I produce a product, who should I contact to make sure my product is compliant? 25:49.080 --> 25:53.080 Who is the, who are then, how do I find them? 25:53.080 --> 25:58.080 How have they got the power to verify that I can put my product on the market? 25:58.080 --> 26:02.080 I think that's the shape of question quite a lot of people have asked me. 26:02.080 --> 26:08.080 Yes, it is. It's also, a lot of different questions was a lot of different answers. 26:08.080 --> 26:13.080 At the same time, I'm going to try to keep it short. 26:13.080 --> 26:19.080 I think right now, a lot of this is being defined. 26:19.080 --> 26:29.080 And so being a new be in this space right now, if you want to enter this space and see how things are being made, I think. 26:29.080 --> 26:40.080 Well, I mean, of course, we're doing a lot of this work at RC was an FAQ and really trying to collect those kinds of questions. 26:40.080 --> 26:46.080 And then break them down to have clear answers for those. 26:46.080 --> 26:49.080 So I think that's one way of looking at it. 26:49.080 --> 26:59.080 And I think as we move forward into this implementation phase and into the application phase, 26:59.080 --> 27:06.080 well, first of all, the commission is going to issue guidance on some of these topics. 27:06.080 --> 27:10.080 So I think that's going to be a place to get answers. 27:11.080 --> 27:17.080 And then, yeah, I think maybe you want to add a few things about this. 27:17.080 --> 27:24.080 Yeah, thank you very quickly. I think to take a step back before answering to say that this kind of question is exactly. 27:24.080 --> 27:30.080 So once the development of those social structures that we're saying that are needed to support the implementation of legislation, 27:30.080 --> 27:32.080 people need to know where to find answers. 27:32.080 --> 27:35.080 There needs to be a place where people can look at this. 27:35.080 --> 27:41.080 Some clients look like, and the first thing I need to say is that the legislation has just been published. 27:41.080 --> 27:44.080 Last month, it's just entered into force. 27:44.080 --> 27:48.080 And so at the moment, we are still at the very beginning of the transition period. 27:48.080 --> 27:54.080 This is actually the moment of highest uncertainty, which obviously is uncomfortable right now. 27:54.080 --> 28:02.080 But that means, you know, every single week, we will be working to reduce that uncertainty as we work on guidance, as we work on implementing legislation, as we work on standards. 28:02.080 --> 28:08.080 And of the three year transition period, there should be a lot less uncertainty and everything should be a lot clearer. 28:08.080 --> 28:11.080 So, but for now, if you're looking for information where do you go? 28:11.080 --> 28:13.080 Well, look at commission websites. 28:13.080 --> 28:18.080 Look at commission funded projects like cyberstand.eu that I've written on the board there. 28:18.080 --> 28:24.080 Look at the other social structures that are setting up, specifically gearing up to answer to this. 28:24.080 --> 28:31.080 The Eclipse Foundation has set up the ORC, open regulatory compliance working group, which is an initiative that we welcome a lot, 28:31.080 --> 28:39.080 because it meant to be a place where different open source actors can come together and have those discussions of how does this CRA affect them, apply to them. 28:39.080 --> 28:44.080 So, get involved in the initiatives that are already trying to sort this out, basically. 28:44.080 --> 28:45.080 Thanks. 28:45.080 --> 28:46.080 Great, thank you. 28:46.080 --> 28:55.080 And so to be clear, you're hearing all the questions we're answering, and you're going to be publishing some written guidance that addresses some of those questions. 28:55.080 --> 28:59.080 Over the year, not least because the CRA says you have to. 28:59.080 --> 29:00.080 Yeah, exactly. 29:00.080 --> 29:02.080 The CRA says we have to, so we're going to do it. 29:02.080 --> 29:03.080 Okay. 29:03.080 --> 29:07.080 So, thank you very much indeed to these speakers and panelists. 29:07.080 --> 29:09.080 Thank you. 29:09.080 --> 29:11.080 Thanks.