WEBVTT

00:00.000 --> 00:15.120
All right, so we continue with the server resilience act, and yeah, so focami, which I

00:15.120 --> 00:21.440
in me will tell you in the next 20 minutes, something about our learnings from the

00:21.520 --> 00:29.360
regulatory process, and we will go through some wild slides, and show you what we learned in

00:29.360 --> 00:35.600
the, basically, last one, two years on this, and what we, or how we can reuse this information

00:35.600 --> 00:43.920
for upcoming slides, upcoming legislation that is of importance for us. We do a bit of

00:44.080 --> 00:52.160
like karaoke here, and as Carlos, the very first, a widespread, and I mean, it's important

00:52.160 --> 01:00.480
for you to know whatever you see here, so this is sort of like, yeah, downscale to make it understandable

01:00.480 --> 01:05.280
for you, so it's a bit more complex in reality, basically transformed into a policy debate one could

01:05.280 --> 01:11.120
say, so it gets a bit more concrete, we start to talk about clear text, so we get a proposal,

01:11.680 --> 01:16.720
discuss this proposal, we get wording, and we can discuss wording, we can discuss commerce,

01:16.720 --> 01:26.560
we can move text up and down, and so with this, we basically, yeah, start, and this is

01:26.560 --> 01:34.000
important for us, a process in the institutions, and basically, yeah, finally, come up then at one

01:34.000 --> 01:42.240
point with something like what we call now the several resilience act or a file, which needs to

01:42.240 --> 01:49.040
be an implemented in a certain time, let's say, two years, and this is basically the very

01:49.040 --> 01:58.640
interesting part, so this is basically, we are now, so we are basically, so we got out of this

01:58.640 --> 02:04.560
heated part here in the middle, and now I have a, have a, have a text here in the, in the blue part,

02:04.560 --> 02:11.440
and now we start with implementing all of this, and this means we read the text again and try

02:11.440 --> 02:17.600
to understand what we really do with this, so, and that's the fun part, since there are, I mean,

02:17.600 --> 02:25.040
we already had some insights, but also many open questions, and these open questions will remain for

02:25.120 --> 02:30.160
a certain time, basically, until we finish the implementation, and then we will still figure out

02:30.160 --> 02:36.640
that there is still issues, and this is then the evaluation, and then we start again, so, and this

02:36.640 --> 02:48.560
is I'm going to hand over to the next fun slide. So, yeah, that is not meant to overwhelm you,

02:49.520 --> 02:58.480
there is just, and the main idea of that talk was to talk about what do you need to understand

02:58.480 --> 03:05.680
complex things, and what helped us to navigate this, and what, that whole thing is here,

03:05.680 --> 03:14.880
is it? So, what I did was I went through all of the those years that I kind of came across,

03:14.960 --> 03:22.720
mostly from questions, from our members, or from, from, from another community, and,

03:22.720 --> 03:28.000
and how it does that relate to open source. So, the first thing I did was, looking at what

03:28.000 --> 03:34.400
law uses the term open source. So, and what you see is, there are three here, that is,

03:34.400 --> 03:44.000
this is here, the AI Act and PLD. You see, the NISTU directive, you see the Cyber Security Act,

03:44.000 --> 03:50.960
and the managed service, managed security service directive, and then you see here,

03:51.600 --> 04:00.640
either, and EHDS, and then the thing in the middle, that is, into operator Europe.

04:01.600 --> 04:09.360
So, so now we know these are things that are all like open source, and now the question is,

04:09.360 --> 04:17.680
how does that relate to any what we do? So, since we focus on the CLA, so what is the CLA?

04:18.400 --> 04:25.280
If you look at this picture, in whole, what you see here is that the CLA is not alone. It's not just

04:25.280 --> 04:31.200
a standalone law, that, you know, it's disconnected to other things. It has a connection,

04:31.200 --> 04:38.160
and that connection is the way how it's built, that is built within the so called new legacy

04:38.160 --> 04:45.360
of framework. That is a nice, nice history in itself, but just to to to explain what the

04:45.360 --> 04:52.800
how it actually trickles down into those years. So, CLA, AI Act, PLD, are the kind of software

04:52.800 --> 05:02.080
regulations or directives that apply to products with digital elements, they do not necessarily

05:03.280 --> 05:09.520
apply just to software, that is a little bit of an interesting discussion there. Then I left out,

05:09.520 --> 05:17.040
for example, the machinery stuff for now. But what's important is the, the standardization regulation,

05:17.040 --> 05:25.680
CE is an own, own, own directive, collective actions that's relatively new, that is also part

05:25.680 --> 05:33.120
of the CLA, and then the market surveillance regulation. So, that is everything about how

05:34.080 --> 05:42.560
the national authorities can like use their market powers to either investigate or to remove

05:44.160 --> 05:52.480
products from the market. The other, like, and while this is NLF, and actually like, you know,

05:52.480 --> 05:58.880
European product regulation, and that also comes with the understanding what a PLP, PDE's or product

05:58.960 --> 06:06.080
with the digital elements is. Do we want to go into the nitty-gritty details of stewards already?

06:06.080 --> 06:15.360
Okay, no. Okay, so I leave that out. But yeah, however, there are also other laws that are mentioned

06:15.360 --> 06:23.280
by the CLA, in one form or another. So, either it immense things or it has carved out, for example,

06:23.360 --> 06:31.120
you see here NDR and IVDR, they are medical devices. Medical devices do not draw their

06:31.120 --> 06:38.880
conformity on the market from the CLA. That is what the CLA says. You know, these products do not

06:38.880 --> 06:48.720
show conformity over the CLA as a process. The same is what's cars and planes. But other products do,

06:48.800 --> 06:58.560
for example, those who are explicitly mentioned, and also from EHDS, electronic health record systems,

06:59.360 --> 07:07.440
were also amended into the CLA just, you know, now by name because now the CLA has actually

07:08.080 --> 07:17.840
a reference number. What is also in there, NISTU and the Cyber Security Act, NISTU is for

07:19.200 --> 07:26.320
the database and for the vulnerability and incidence with an R reporting and the CSA is basically

07:26.320 --> 07:36.080
for the certification of products. And these two relates in terms of NIST entities should

07:37.040 --> 07:44.400
preferably use things that are certified, but at least things that are compliant to the CLA,

07:44.400 --> 07:54.000
so that show CE for, like you know, as a product for what they do in their work or in their network.

07:57.200 --> 08:01.920
I think I'm done with it in the moment and now we move to the next one.

08:06.160 --> 08:16.400
I'm Michael from the market surveillance of the BSI, Germany and in this view, we see how different

08:16.400 --> 08:24.880
stakeholders interact in the CLA and there are a lot of them. Luckily, not all of them have to

08:24.880 --> 08:31.280
interact with each of the other one. So if you have a look at the open source perspective,

08:31.280 --> 08:36.640
we do have on the top left the open source component, which a manufacturer can integrate.

08:37.280 --> 08:43.920
At that moment, the manufacturer takes the responsibility for that open source component in his product,

08:43.920 --> 08:51.120
which means, for example, if there's a vulnerability in that component, the manufacturer needs to find

08:51.120 --> 09:01.760
the way to fix that vulnerability and then, as said, by the previous person, he needs to contribute

09:01.760 --> 09:07.440
the fix back to the open source project, which developed the open source component.

09:10.960 --> 09:20.480
Then, we also have the stewards and the purpose of the stewards is to support the development

09:20.480 --> 09:28.160
of free and open source software, which is intended for commercial use. With that, in the CLA,

09:28.160 --> 09:33.680
there are some obligations for the open source stewards. For example, he has to put in a policy

09:35.200 --> 09:41.360
for the development of secure products with digital elements and he also has to put in the

09:41.360 --> 09:51.280
policy for an effective vulnerability handling. He needs to first store the voluntary vulnerability

09:53.280 --> 10:01.600
reporting. He has to work together with the market surveillance on how

10:04.400 --> 10:10.800
the risk the cybersecurity risk can be mitigated and how that to maybe find the way that

10:10.800 --> 10:15.040
everybody can work together and get something good out of the CLA.

10:20.000 --> 10:22.240
So, then, do you have questions?

10:25.680 --> 10:32.480
No, I mean, really, we also have another Q&A session afterwards, but I mean, I think it's

10:32.800 --> 10:35.840
we're going to ask some questions. So, there we go.

10:43.520 --> 10:47.840
So, what's the difference between an up-and-so-sporjectness stored?

10:47.920 --> 11:05.840
Okay. So, in general, in general, is Stuart. My understanding nowadays, since I have

11:05.840 --> 11:12.080
sent it in a little bit different, I believe that Stuart is not very helpful, as a concept

11:12.080 --> 11:19.520
in the CLA, because it makes stuff extremely confusing, because the LLS is very clear.

11:19.520 --> 11:25.280
We have products. Products you put on the market. If you have, I don't know, the open SSL library,

11:25.280 --> 11:34.640
that is not a product. So, the question here is, how do you actually, what do you need to do

11:34.640 --> 11:42.000
in order to make that a secure aspect of a product? It is not in scope. I'm very, very sure about

11:42.320 --> 11:51.280
this. But a product, like a project itself, it can be called, it can just be text, it doesn't

11:51.280 --> 11:58.400
even need to be something functional. A project is a project. Stuart is the idea that you have a

11:58.400 --> 12:05.920
structure that maintains certain aspects of it either, just a distribution or the development

12:05.920 --> 12:11.360
or maybe just a security of something. That is more, I would see it. It's not, oh, I'm a

12:11.360 --> 12:18.720
manufacturer or I'm a steward. Usually, you are a manufacturer or just a maintainer and maintainer

12:18.720 --> 12:24.880
do not have obligations this year. If you choose to be a steward, you choose to do something that

12:24.880 --> 12:31.440
means I don't need to comply, but I want to. I want to have more obligations that I really have,

12:31.440 --> 12:39.040
because I want to offer something in order to be interesting for the market. That is a whole

12:39.680 --> 12:44.720
point. The difference between, do I choose this SSL library or that SSL library,

12:44.720 --> 12:51.120
because of the different type of, you know, whatever is behind it, that I need or I want to have

12:51.120 --> 13:06.000
for my product. The question then is, how can we use the steward to get something helpful out of it?

13:06.240 --> 13:14.880
So the manufacturer has to comply and is responsible for all the open source components he's

13:14.880 --> 13:20.800
putting into his product. Small, medium businesses, they might don't even know what open source

13:20.800 --> 13:28.800
product components are in their products right now. So from the perspective of I, as a manufacturer,

13:28.800 --> 13:34.800
then have to fix all those vulnerabilities and all those problems, I might not be able to do that.

13:35.680 --> 13:45.920
So then there are two ways to counter that. On the one, one option is he's putting pressure on the

13:45.920 --> 13:53.760
open source developers who don't really have the obligation to do something, but I mean pressure

13:53.760 --> 14:04.080
can be quite high. And the other one is I don't use open source components, because if I buy

14:04.160 --> 14:11.440
a certain product, then the commercial product, then the one who's manufacturing that one,

14:12.160 --> 14:19.040
also has to apply to the CIA, and then I can shift my responsibilities to that sub party.

14:19.760 --> 14:25.760
With the open source steward, there might be a way that the manufacturer can't put pressure

14:26.720 --> 14:34.160
onto the open source developer, but he can interact with the open source steward,

14:34.160 --> 14:42.480
and then the open source steward might be able to provide resources back to the open source project.

14:43.600 --> 14:51.200
And that are things we can talk about right now, because it's not written down. So there needs

14:51.360 --> 14:59.040
to be guidance on how all of these stakeholders interact, and we right now have to chance to

14:59.040 --> 15:08.000
define that guidance and try to get our source into that. So there might be a way that open source

15:08.000 --> 15:09.600
steward can be helpful.

15:13.040 --> 15:19.600
Just quickly following up on that question, I'm all confused, because I thought that I understood

15:19.600 --> 15:27.360
what an open source steward was from perspective of it's an organization that provides governance

15:27.360 --> 15:35.760
of some kind for open source projects. So if there is a library or a tool that is being developed

15:35.760 --> 15:42.320
in and then the by maintainers and the organization that provides governance is something like

15:42.320 --> 15:49.280
the Open SSF or the Open JS Foundation, then that foundation is the steward. So am I wrong about

15:49.280 --> 15:57.200
that? You are a human autism, but who determines that? That's the first thing. Who's

15:57.200 --> 16:03.040
like do you declare yourself a steward or like you're already in the second part of the discussion?

16:03.040 --> 16:07.440
That is what they're actually going to discuss later, but there is, I think there are a lot of

16:07.440 --> 16:12.480
misconceptions around the steward, and it is very clear why it is so like such a misconception,

16:12.480 --> 16:18.240
because many people don't understand that it is a market regulation, a market regulation,

16:18.320 --> 16:25.440
something that built up over 40 years, and after 40 years, the the legislator introduced in

16:25.440 --> 16:32.720
new market actor that is actually derived from something that used to be the work of voluntary,

16:33.840 --> 16:43.120
no volunteers. You cannot just chew on them into a regulation that addresses exclusively

16:43.280 --> 16:55.920
a certain actor in an internal market, you have the market rule, it is not this or it is

16:55.920 --> 17:03.520
not in a like the security here is just a product rule, not more or not less. So and the steward

17:03.520 --> 17:11.680
it is only like it is kind of a wild card where you can solve certain problems that may or may not

17:11.760 --> 17:17.440
be like you know not, not so, but in any other way. For example, when you have let's say a product

17:17.440 --> 17:23.120
or like you are not a manufacturer because you don't put up on the market, but what you put out

17:23.120 --> 17:31.680
has marked like a product product like properties. And the point here is a different between

17:31.680 --> 17:39.760
steward and the manufacturer in that regard is I guarantee you certain properties for that product,

17:39.840 --> 17:45.520
and if I monetize that then I'm a manufacturer and if I don't then I'm not this is how I see it,

17:45.520 --> 17:51.040
it's a little bit more complex and just saying oh I do governance. And also the other thing is you

17:51.040 --> 17:57.440
can also as I said, I believe the steward for certain aspects, which means for example I say okay

17:57.440 --> 18:05.520
I'm whatever we only do a certain aspect of what is required or wished by manufacturers and we

18:05.600 --> 18:11.200
had to actually implement that. And the last thing I was leaves steward are very useful for

18:11.200 --> 18:19.040
example in a sector context so that you have manufacturers in the same sector that think about how

18:19.040 --> 18:26.240
they deal with their common supply chain. Their manufacturer is a very, very powerful actor actually

18:26.240 --> 18:32.640
to get like you know problems done that you have in a certain area and this is where a lot of

18:32.640 --> 18:39.680
security I believe can come from you know in order to you know like yeah make sure.

18:42.880 --> 18:50.480
Maybe to add to this so I mean that's go back to the first slide and so the idea to come up with

18:50.480 --> 18:56.000
this hybrid resilience act was basically we had things like this look for take case and then we also

18:56.000 --> 19:02.080
figured out ah maybe a better idea to put pressure on these two people. But how do we how do we

19:02.160 --> 19:07.760
make it happen that they can contribute to security and if we flip it right we can make manufacturers

19:09.920 --> 19:15.680
like supporting stewards to help them so and there needs to be in the action and I mean in the

19:15.680 --> 19:20.800
in the first part of the double resilience act it was like the commercial activity which was

19:20.800 --> 19:24.800
the threshold and then we figured out that this doesn't work for the open source community and that's

19:24.800 --> 19:31.040
why we came up with the steward thing so and that's why we are and also as I said we are still

19:31.120 --> 19:36.480
writing a lot of things so there is still a lot of things that need to be written so and and this

19:36.480 --> 19:40.640
is happening now so and your question will be defined in the next year I'd say.

19:43.040 --> 19:49.040
One thing that you can do to help us as moderators is if you have a question and raise your hand please

19:49.040 --> 19:54.400
don't lower it again because then it's difficult to find you and it's also some kind of a selection

19:54.400 --> 19:57.680
process how urgently you really want to ask the question so.

19:58.160 --> 20:08.880
Well I'm that note I have two questions if you may. So right now it's a little bit health confusing

20:10.000 --> 20:15.280
what it's all about and my question is now how much how long do you think to

20:15.840 --> 20:22.880
fine tune all this so it's becoming more clear what everyone's roles and responsibilities

20:23.520 --> 20:30.640
and following up on that on roles and responsibilities you impose actually with the CRA a lot of

20:31.680 --> 20:39.200
obligations to several of these parties but do you offer also any assistance in achieving those

20:40.400 --> 20:46.080
those goals otherwise it will become like a dead letter or legislation because you scare people off

20:46.720 --> 20:55.360
in actually contributing to this you say like for example a this this person we need to put pressure

20:55.360 --> 21:00.240
on to fix the security vulnerability but they have no obligation to do that how do you

21:00.240 --> 21:07.280
will positively achieve this yeah so guidance and there's the timeline.

21:07.920 --> 21:16.400
I mean it's like most most questions are like you know we offer on software so they are a million

21:17.200 --> 21:26.640
answers to this there's not the answer. I mean like there are very many like you know entities

21:26.640 --> 21:32.400
that produce guidance one one part will be the expert group of the commission then there is

21:32.400 --> 21:38.240
all then the open one is F there is like and then like the project themselves very likely for

21:38.240 --> 21:43.600
whatever is there the question is here who helps them in effectiveness and who helps them as

21:43.600 --> 21:48.480
MEs it is like where I believe read the biggest questions are for the because they have the most

21:48.480 --> 21:54.960
headaches but but yeah that is like so and for manufacturers the actual guide is going to be

21:54.960 --> 22:06.640
the answer and speed to five years and call blue guide timeline so yeah we run a little bit of

22:06.640 --> 22:17.200
time but so the the part from the first that was very empty at the end this part here so I

22:17.200 --> 22:22.240
started to think about or like we actually started to think about sometime ago what that actually

22:22.240 --> 22:30.560
means if you want to if if so the question that that needs to be answered is what is the impact

22:30.560 --> 22:38.160
of that regulation on the ecosystem and that is not something that you start to answer in 2030 or

22:38.160 --> 22:45.680
something that is what we have to assess now and everything that is going on there you know like

22:45.680 --> 22:53.920
ultimate the ends here or like in two things actually the one thing is the question here that is

22:53.920 --> 23:06.160
like the the time when the CMA will be up so yeah but it will be renewed and this is a moment

23:06.960 --> 23:11.120
like latest where you we also can now put a lot of pressure on the commission

23:11.120 --> 23:26.400
okay twenty nine twenty twenty nine is the latest moment to do a hard pressure I believe

23:27.200 --> 23:35.040
okay and after this session to something completely different yeah thank you all

23:41.120 --> 23:43.120
you