WEBVTT

00:00.000 --> 00:10.560
I changed a lot of the talk today because there's been so many cyber-residians act presentations

00:10.560 --> 00:16.240
in the last few days and in particular yesterday those are half-day devourum on the CRA in

00:16.240 --> 00:21.760
practice and so to avoid duplicating what's already been said in those presentations I changed

00:21.760 --> 00:25.280
a lot of the slides and so I hope I'm still within the scope of what I was meant to talk

00:25.280 --> 00:34.560
about so the talk is aimed to be an introduction to the work that we're doing on the cyber-sidians

00:34.560 --> 00:42.000
act and in particular we find that it's easy enough for the larger entities to get involved

00:42.000 --> 00:48.960
and so the aim is to try and get smaller entities to also participate but I didn't want to give

00:48.960 --> 00:54.400
the impression that actually the CRA is going to affect everyone so maybe it should have been

00:54.400 --> 00:59.280
actually a question is the CRA for everyone or maybe it's CRA information for everyone

01:00.080 --> 01:07.200
including smart projects so the other reason I changed the talk is because I've been talking

01:07.200 --> 01:13.120
to so many people in the last five days about the cyber-sidians act and it's really surprising and

01:15.120 --> 01:20.800
you have to be reminded of this constant how different the levels of awareness are and how different

01:20.800 --> 01:27.920
the interests are in different topics and so once again I had to change a lot of slides and this

01:27.920 --> 01:34.080
is a little bit of a mishmash of topics but I hope that's something in for everyone so one of the

01:34.080 --> 01:39.680
topics that you know I generally forget is something you still need to talk about is the timeline

01:39.680 --> 01:46.320
so this is important because the cyber-sidians act was voted on and adopted by the EU institutions

01:46.400 --> 01:52.960
at the end of 2024 and so sometimes the media talks about it's it's done it's adopted

01:52.960 --> 01:57.600
and it's entered into force and then people might look around and say well nothing really changed

01:57.600 --> 02:02.880
and you might get the impression that the cyber-sidians act was no big deal but the the law is

02:02.880 --> 02:12.000
in force but they find for not following the law are not yet applicable so there will be a smaller

02:12.080 --> 02:18.480
part of the cyber-sidians act on September 11 will become applicable the fines for vulnerability

02:18.480 --> 02:24.960
reporting but the main provisions are enough coming in until December 11, 2027 so we're still in the

02:24.960 --> 02:30.960
phase of working out how we're going to comply and then what I'm going to show today is that we're

02:30.960 --> 02:38.960
also still in the phase of drafting the cyber-sidians act so the so that as mentioned the reason

02:39.040 --> 02:44.960
we want to focus on small projects is that the larger entities you know like I work for

02:44.960 --> 02:52.320
it's foundation and we have policy people like myself and we have lawyers and we have you know

02:52.320 --> 02:57.520
people who can work on compliance and then once we have to do this work anyway for the software

02:57.520 --> 03:03.920
projects that we host then it's kind of easy to apply this to the other projects that we also host

03:03.920 --> 03:11.680
so for us we're kind of the the easy case for doing a CRA compliance and what we want to do though

03:11.680 --> 03:18.320
is the one of the roles of code hosting fast foundations is to benefit the ecosystem in general

03:18.320 --> 03:23.920
and to bring you know stability to the ecosystem and so we try to make our materials available

03:23.920 --> 03:30.400
in the way that's most useful for everyone and so what we did is we publish all our information

03:31.040 --> 03:35.200
on our website and then also we went to be further and we created this coalition called the

03:35.200 --> 03:40.800
Open Regulatory Compliance Working Group and that is a place where everyone who has to deal with

03:40.800 --> 03:46.000
cyber-sidians act and that can be people who love open source and it can be people who hate open source

03:46.560 --> 03:51.440
as long as you have to deal with cyber-sidians act compliance this working group is a place to

03:51.520 --> 04:00.080
coordinate and make that work as at least least painful as possible so that's the open regulatory

04:00.080 --> 04:04.800
compliance working group web page and there's a QR code and I'll show that at the end but not

04:04.800 --> 04:14.320
going to dwell on that for the moment so in the cyber-sidians act the the main categories of people who

04:14.400 --> 04:22.000
have obligations are the many factors and students and so many factors and stewards and then the

04:22.000 --> 04:28.320
other category and the other category doesn't really get a formal name but the verb provide

04:28.320 --> 04:33.200
provision or providing is used at some point so we could call them providers of software

04:33.200 --> 04:38.240
and these are the ones that are most likely to be exempt and so I talk about exemption because

04:38.320 --> 04:44.000
when you talk to small entities the the first thing some of them want to hear is you know

04:44.000 --> 04:50.000
I'm anti-exempt or how do I get exempt and the focus is on you're maximizing the ability to

04:50.000 --> 04:58.880
ignore the cyber-sidians act and so you can look into the text and so this is just a

05:00.160 --> 05:05.520
little small introduction to your reading EU legislation because when you look at the text

05:05.600 --> 05:09.520
the cyber-sidians act you have this sentence and says your pre-enopensor software is

05:09.520 --> 05:14.560
only covered when and because of the word only there that sounds like this is going to be

05:14.560 --> 05:18.880
this is the exemption now so what is the exemption? pre-enopensor software is only

05:19.840 --> 05:25.040
covered if it's made available on the market and so that would look like the and then you could

05:25.040 --> 05:29.280
start looking at you know what does it mean to be made available on the market but when you look at

05:29.280 --> 05:34.480
the scope of the cyber-sidians act it actually only applies to software that's made available on the market

05:34.800 --> 05:40.960
or digital products with products of digital elements made available so that's not the unique

05:40.960 --> 05:45.360
criteria that makes free-enopensor software exempt so then you have to go back and then if you look at

05:45.360 --> 05:50.960
well you know there's another part of that same sentence and talks about when projects that are

05:50.960 --> 05:57.280
not monetized by their manufacturers and you know maybe this is the the actual parts that

05:57.280 --> 06:02.480
the differentiates between free software and general software that has to apply this I resilient

06:03.120 --> 06:10.720
and so the point is the word monetized is not really defined in legislation or at least

06:10.720 --> 06:15.680
it's not not clear to us at the moment so making available on the market is a term and I'll come

06:15.680 --> 06:22.560
back to where that can be found but monetized was new to us and so the the point here is that

06:22.560 --> 06:26.880
even for people who've been reading this for you know two or three years you know the words are

06:26.960 --> 06:34.960
not always clear so you might be thinking then well why don't we just ask for some clarity why don't

06:34.960 --> 06:42.240
we ask some to fix this this apparent bog in the text and the issue is that it's not always

06:43.280 --> 06:48.640
compatible with the objectives of the cyber-sidians act to to clarify these things because the

06:48.640 --> 06:56.000
goal of the cyber-sidians act is to increase cybersecurity and so if there's a real focus on

06:56.960 --> 07:02.560
how to get into the excluded category and how to define what's excluded then you know this is

07:02.560 --> 07:08.080
nice because legal clarity is nice but then it also makes it easier for people who are focusing on

07:08.080 --> 07:12.240
how do I get into this category of you know not having to deal with the cyber security act

07:12.240 --> 07:17.120
as I'm a civilian act and so that's you know does not the the objective objective is to increase

07:17.120 --> 07:22.320
cybersecurity and so so it's not something that's necessarily going to be fixed by asking questions

07:22.400 --> 07:28.800
or more legislation and then you know another example is there is a part of the cyber-sidians

07:28.800 --> 07:35.600
act that says that unfinished software is not covered by obligations and so in the early days

07:35.600 --> 07:42.560
we thought maybe we could say that all free software is unfinished because but yeah the the problem

07:42.560 --> 07:47.360
there is that unfinished software is defined as software that's available for a limited period and

07:47.360 --> 07:51.840
that's you know that's not how we make our software available so it's probably not of any use to

07:52.000 --> 08:02.240
us and we've it's been told to us that we probably shouldn't try to use it so so then the the bits

08:02.240 --> 08:08.000
of clarity we do have in the text folks on on these above things the idea of charging for software

08:08.000 --> 08:14.400
or charging for support beyond just covering your own costs and then processing personal data and

08:14.400 --> 08:19.520
that's just you know if if that's your business model around them directly getting cash then

08:19.520 --> 08:24.960
you don't you can't claim to be non-profit if you're scooping up lots of personal data and

08:24.960 --> 08:30.480
selling that later so these are these are the criteria they're again it's not always clear

08:31.040 --> 08:37.280
I thought point the connection has to exist for the obligation to exist you know if I have

08:37.280 --> 08:42.160
ads on my website does that make every download my website I can select so some of these things

08:42.160 --> 08:49.120
are still being defined and one of the challenges is that product legislation in the EU

08:49.120 --> 08:55.440
never generally applied software in the past and so it's all been developed with physical products

08:55.440 --> 09:02.160
in mind and so now we're trying to use all these terminologies that it's being shoehorned into

09:02.160 --> 09:11.680
the software context so the what we're doing to get the smaller projects to be better represented

09:11.760 --> 09:18.560
is that we don't expect smaller projects to be able to get involved and have a full-time person

09:18.560 --> 09:24.480
spending lots of time in and giving lots of attention to this but what we would like is to be

09:24.480 --> 09:29.680
able to raise the level of awareness and make enough information available so that at least small

09:29.680 --> 09:34.320
entities when they see the work that's being published by for example where he gives foundation

09:34.320 --> 09:39.680
or but also other entities we'd like to be able to get feedback and you know here whether this

09:39.760 --> 09:46.160
information is useful is sufficient and you know in general what are the needs of smaller projects

09:46.160 --> 09:52.160
and smaller companies so that we can better serve the needs of the community as a whole

09:54.080 --> 10:01.840
so I had two topics and then I inserted a quick topic number zero so the while we're working on

10:01.840 --> 10:06.960
this I resilient act I kept on thinking about this idea the policy is the new licensing and it's

10:07.280 --> 10:13.680
important because in the free software world you know for 40 something years we always defined our own

10:13.680 --> 10:19.040
legal context because we had our licenses and that was most of the legal discussion and then

10:19.040 --> 10:24.480
small amount of discussion done trade marks and association law maybe you know contribution policies

10:24.480 --> 10:29.680
but in general it was something we did internally and that was nice and comfortable and we could

10:29.680 --> 10:36.480
define the timeframe and then what's changed now is we're getting all these piece of regulation

10:36.480 --> 10:43.040
which impose obligations on us from the outside and this is it's you know on one hand it's

10:43.040 --> 10:49.360
completely new the other hand the timetable is imposed as well so if we choose not to participate

10:49.360 --> 10:54.400
then it's it just means that we don't get taken into account during the drafting of the text so

10:55.200 --> 11:00.880
really we have to change the way as an ecosystem we we organize and participate in in the

11:00.880 --> 11:08.240
development of our legal infrastructure so then getting on to the real part one what I'd like to

11:08.240 --> 11:15.360
talk about is the idea of why we should be in favor of doing more than the minimum so we you know

11:15.360 --> 11:19.920
I started off by saying that people sometimes try to get into the exemption and the idea is that

11:20.880 --> 11:24.960
you know nobody likes to have obligations imposed from outside especially ones that we didn't

11:24.960 --> 11:31.760
like and we might really like the way they're written and so then you know the default mindset is

11:31.760 --> 11:36.560
well how do we how do we get into a situation where we can ignore that and do our own thing

11:37.120 --> 11:43.760
but so I'd like to make the case for why we should try and do more than the minimum so the the first

11:43.760 --> 11:54.240
point is that the smaller projects may get into maybe exempt from so resilience like

11:54.240 --> 12:03.840
however in general I think it's true that projects are largely motivated by having a great user

12:03.840 --> 12:09.360
base and having a large and interesting user base preferably also a user base that pays for the

12:09.360 --> 12:18.560
software let's see the ideal situation and so one thing that we can improve by doing some of the

12:18.560 --> 12:25.360
CRA work even when it's voluntary is that it makes it easier for upstream or downstream to then

12:25.360 --> 12:31.200
use your software and so if you want to make yourself a more attractive this is a good way to do it

12:31.200 --> 12:37.120
and so we can we can do that in our own way but there's also a mechanism in the cyber resilience act

12:37.200 --> 12:42.640
which allows you to get recognition for the compliance work that you voluntarily don't and

12:42.640 --> 12:49.440
the attestation system and my colleague Eva is going to present the details or a proposal for

12:49.440 --> 12:58.000
how that could work in the next sessions or I'll leave the details there. The second reason why it's

12:58.000 --> 13:04.960
probably a good idea to voluntarily do some compliance work is that as I you mentioned at the start

13:05.040 --> 13:10.400
it's not always clear what the words mean and so we may optimistically look at some text and say

13:10.400 --> 13:17.600
nope that doesn't apply to me and therefore you can ignore this but we might find that the text doesn't

13:17.600 --> 13:22.240
mean what we thought it meant and we might also find that you know court cases in the future will

13:22.240 --> 13:28.720
change the interpretation of certain clauses and so maybe it's better to just take a look at the

13:28.720 --> 13:34.080
text now rather than ignoring it and so you want to talk about voluntary compliance this isn't

13:34.080 --> 13:40.000
doing the full compliance the maximum of our cyber resilience act it's more looking into the

13:40.000 --> 13:45.280
various obligations and seeing which ones you would choose to do depending on how interested you are

13:45.280 --> 13:54.000
in making yourself for more usable further projects. The third thing is that we as I mentioned

13:54.960 --> 13:59.680
the European Commission's goal is to increase cyber security so the two things they want are

13:59.680 --> 14:07.120
cyber security and compliance with the regulation. If we have our own system and it gets widely adopted

14:07.120 --> 14:12.880
and you know can be shown to increase cyber security then this will you know tick the boxes

14:12.880 --> 14:19.120
that the European Commission is interested and they'll see that that job is now done. If we focus

14:19.120 --> 14:24.240
on trying to undermine all these obligations and trying to squeeze ourselves into the various

14:24.240 --> 14:29.680
exemptions then what will happen is that we will probably not increase cyber security or not

14:29.680 --> 14:34.160
very much and that just makes it more likely that in the future the European Commission will look

14:34.160 --> 14:38.480
at the situation again and say well our previous attempt didn't work as much as we would have

14:38.480 --> 14:45.840
liked and therefore let's have a CRA2 or some other similar law and so this is the idea that

14:45.840 --> 14:52.480
maybe we should do a form of enthusiastic compliance and actually try and share the objectives

14:52.480 --> 14:59.120
of increase cyber security and this could avoid the situation where we then get follow on legislation

15:02.160 --> 15:06.960
and then the the fourth thing is that we could also do cyber security policy just because it's

15:06.960 --> 15:20.400
a good idea it might so those are the four reasons why I was just that we don't focus on trying

15:20.400 --> 15:26.400
to aim for the minimum that we have a broader discussion of what's the purpose of putting

15:26.400 --> 15:34.160
any effort in and you know what's the the overall outcome of having good cyber security versus

15:34.160 --> 15:39.680
having a system that we put work into and it takes boxes and doesn't really achieve much so

15:42.960 --> 15:49.200
so the idea of slides and the specific obligations of manufacturers and stewards but yeah

15:49.200 --> 15:53.520
as I said there was presentations about that yesterday so those videos will all be online so

15:53.520 --> 15:58.960
I removed those slides but I just wanted to show you know one quick table which talks about the

15:58.960 --> 16:05.840
stewards you know the various obligations and one obligation is for a reporting of actively

16:05.840 --> 16:11.520
exploited vulnerabilities and for this one obligation you then have to check well what are the

16:11.520 --> 16:17.200
relationships between the steward and the software users and the left-hand side you have different

16:17.200 --> 16:23.120
types of relationships and then you have ticks or NA to say whether the obligation applies and so the

16:23.200 --> 16:29.920
purpose is just to show that it's not as simple as it might appear when you hear a summary

16:29.920 --> 16:34.720
and it mentions you know steward have very few obligations well you do have to still dig in and

16:34.720 --> 16:43.360
figure out what are the obligations for a specific case so coming back to the timeline the the other

16:43.360 --> 16:50.400
topic I want to talk about and maybe I'll focus more on this is how much of the CRA is still being written

16:50.560 --> 16:55.760
because this is something that hasn't been covered in the other presentations as far as I know so the

16:58.160 --> 17:03.360
the actual text the CyberZidin's Act was adopted I think I think I've mentioned December

17:03.360 --> 17:13.760
2024 and so that is the that is the law the law entered into force but the law says that to explain

17:13.840 --> 17:20.080
how to comply with the law the commission will have standards bodies draft a certain number of

17:20.080 --> 17:26.800
standards I think it's 41 or 44 and so the standards are for example the you know the first obligation

17:26.800 --> 17:33.040
in the CyberZidin's Act is an obligation that you can you can publish software if it contains

17:34.400 --> 17:39.600
I hope you have the words right no known exploitable vulnerabilities and so what do each of these words mean

17:39.600 --> 17:47.200
how do I be sure that you know when I'm shipping myself where if it complies with this obligation

17:47.200 --> 17:54.800
and so the standards organizations will draft a standard for how to determine this and how to do a

17:54.800 --> 18:00.800
risk assessment maybe as well that shows whether you've done enough work on this and so that's

18:00.800 --> 18:06.320
an example that's a one sentence that will be then explained by a standardization document which

18:06.320 --> 18:14.880
we multiple pages and very practical so there are 44 standards there is a document on just the

18:14.880 --> 18:19.280
general interaction of the CyberZidin's Act and free no resource software such as the guidance

18:19.280 --> 18:25.200
document there is another guidance document on remote services because there is an exemption

18:25.200 --> 18:34.320
exemption from these in the CyberZidin's Act the then there is delegated acts to to find

18:34.400 --> 18:40.960
special categories so special categories are things like if you're making passwords managers I think

18:40.960 --> 18:46.960
there's a special category there and it says you you have a standard for extra security

18:46.960 --> 18:50.880
procedures you have to do and in a way that's more difficult because you've extra

18:50.880 --> 18:55.040
obligations but at least you get a document which explains your obligations so in some ways it's

18:55.040 --> 19:01.440
beneficial so it's not good or bad just being in or out of the category but these are things that

19:01.440 --> 19:06.480
are still being worked on now and this is you know why I'm saying the CyberZidin's Act

19:06.480 --> 19:11.840
the original text was finished but it actually in the text it says we're going to continue

19:11.840 --> 19:17.520
working on these for the next two or three years. Gadestations program as well which I mentioned

19:17.520 --> 19:23.440
is also part of a delegated act that will be developed and then if everyone is happy with it or

19:23.440 --> 19:27.520
if the right people are happy with it a delegated act will be created to actually put this in

19:27.600 --> 19:33.280
place and then the last one is S-bombs and this is a it's kind of a funny topic because it

19:33.280 --> 19:38.560
got so much coverage but in the CyberZidin's Act there's very little about what an S-bomm actually

19:38.560 --> 19:44.960
has to contain it's you know more or less in a lot of situations you could have a one line S-bombs

19:44.960 --> 19:54.080
saying I got this software from that person there however there is a clause and my colleague

19:54.240 --> 19:59.440
Madeline Nague probably in the rooms that were found before you found for him this morning

19:59.440 --> 20:04.800
the there's an implementing act which says that the European Commission can change what are the

20:04.800 --> 20:10.160
requirements for the content of an S-bomm so on one hand we have very little in terms of

20:10.160 --> 20:17.440
obligations but it can very quickly be changed and so we may indeed need all the masses of work

20:17.440 --> 20:25.840
to put into that so then I have to come back on what I said so I said that the CyberZidin's

20:25.840 --> 20:32.240
Act itself is you know finished and published and you know that's you know done and it's

20:33.440 --> 20:39.360
the various adjectives you can use but it's not never going to change again in fact there was

20:39.360 --> 20:45.840
a very important typo in the CyberZidin's Act where the clause that says that S-bombs don't have

20:46.160 --> 20:52.560
will not be find for ignoring their obligations in power routes two through nine

20:53.840 --> 20:59.680
the accidentally wrote three through nine and so the you know this is a typo that still will be

20:59.680 --> 21:04.160
corrected I'm not sure if I have the procedure name corrected a random procedure but more importantly

21:04.160 --> 21:11.520
there is the digital products omnibus and so this is going to do something that sounds like a very

21:11.600 --> 21:20.160
obvious good idea this is for if you don't compliance for a different regulation in particular this

21:20.160 --> 21:26.880
is this two if you don't compliance for that then you automatically take the box of compliance for a

21:26.880 --> 21:32.880
CyberZidin's Act and vice versa it's you know the proposal is more or less it's to avoid

21:32.880 --> 21:40.880
people doing the same compliance you know twice basically the it sounds like an obvious good idea

21:40.880 --> 21:47.920
but at the same time there is then a body needed to verify this has been done and then the

21:51.040 --> 21:57.840
the the competence in some way moves from certain member state bodies up to any you agency and

21:57.840 --> 22:02.240
this of course is not something that everyone thinks is a good idea so you know there will be a big

22:02.240 --> 22:08.560
long discussion about but modifying how the CyberZidin's Act is implemented via the digital

22:08.640 --> 22:15.760
products omnibus and then finally the text itself will be completely and wholly up for review

22:16.480 --> 22:24.640
by December 2030 so by the time we have the CyberZidin's Act actually in place and in full effect

22:24.640 --> 22:32.320
at the end of 2027 we will have maximum of three years of living under that regime before

22:32.960 --> 22:42.720
a review gets opened up to see if it should be changed maybe drastically so the the reason

22:42.720 --> 22:50.960
going to the details of how many ways in which the CyberZidin's Act is still changing is because

22:51.840 --> 22:55.760
this is something that we can still influence and it's something that we can still work with

22:55.840 --> 23:02.480
these underization bodies and work with the Commission to improve how it applies to us and so

23:04.080 --> 23:11.600
again the purpose of this talk is to encourage people to take a look at the CyberZidin's Act and even

23:11.600 --> 23:17.120
if you think it doesn't apply or if you don't think you have the time to you know become an

23:17.120 --> 23:22.800
expert in in the various parts it would be good to take a look so that you can see how it does

23:22.880 --> 23:27.680
affect you or how it could be changed and may affect you in the future so at least you can provide

23:27.680 --> 23:33.440
input so that organizations like each other's foundation who are working on the the legislative

23:33.440 --> 23:40.160
side so we know what what changes to push for what would be good for the FAFSA ecosystem

23:44.080 --> 23:50.880
so then the the third I think is the the final section I want to raise about the ways in which

23:50.880 --> 23:55.200
the CyberZidin's Act is still changing is that even when the text itself doesn't change

23:55.760 --> 24:01.360
there are a lot of regulations that are related to the CyberZidin's Act which will be changing and so

24:01.360 --> 24:06.720
the first one is the Standards Regulation 1025 and so I'm going to go through each of these

24:06.720 --> 24:11.600
only very briefly because they're you know they're all deserving of a presentation or a half day

24:11.600 --> 24:17.520
dev room and so I just want to mention the names really but the Standards Regulation 1025 defines

24:17.600 --> 24:22.400
how the European Commission interacts with the Standards Regulation bodies and so there's Etsy

24:22.400 --> 24:26.960
and the Sincenilec and they write the actual Standards but there's a procedure going back and forth

24:26.960 --> 24:31.440
and you know who who gets involved and who gets to approve or or come in on the various drafts

24:32.400 --> 24:36.640
that's that's just being worked on and that's one of these piece of legislation that's then

24:36.640 --> 24:42.880
it's important for every other file that we work on that includes Standards and so it'll have

24:42.960 --> 24:48.640
massive importance but the changes that I've made there may arrive too late for the

24:48.640 --> 24:55.200
situation with the CyberZidin's Act another one is the new legislative framework and this is the

24:56.480 --> 25:05.760
terminology of product regulation in the European Union and so formally it's limited to product

25:05.760 --> 25:11.040
regulation but it often influences other piece of legislation as well and so this will define

25:11.120 --> 25:16.240
things like you know when is yourself for distributed in a commercial context or when is it

25:16.240 --> 25:23.200
placed on the market these terms that we don't really know how to interpret they will be defined

25:23.200 --> 25:29.520
in the new edge of framework and definitions already exist in the index that text in the

25:29.520 --> 25:36.560
new edge of framework but they're focused on physical products the last thing is the rest of the

25:36.640 --> 25:44.720
world but I'll I'll come back in that in a second so the other side then is that we have

25:46.480 --> 25:53.600
well we've been dealing with the EU institutions for a different piece of regulation for just over

25:53.600 --> 26:00.000
20 years and the you know one of the complaints we had in the past was that they were creating

26:00.000 --> 26:06.320
regulations that would limit or would would affect freedom opens or software without talking to us

26:06.560 --> 26:10.960
and so then in the last 10 years we've been the same to them you know if you're going to

26:10.960 --> 26:15.600
regulate freedom opens or software please talk to us first we surely have some input and so the

26:15.600 --> 26:22.400
good news now is that they do and they honestly listen there are multiple people from the European

26:22.400 --> 26:27.760
Commission in the room right now I won't identify anyone but they are among us so they come to

26:27.760 --> 26:33.280
fast them now this is this is what's changed like this is a huge difference compared to even five

26:33.280 --> 26:40.560
years ago five years ago there were a handful of people from the Commission in the first time but

26:40.560 --> 26:46.240
it was because in their you know they were hubbyists but now this is this is something we are now on

26:46.240 --> 26:55.840
the actual where part of the EU legislative mechanism so it's fantastic that we we're now involved

26:55.840 --> 27:02.240
but we have the new problem then that we have limited resources and we have to try and participate

27:02.240 --> 27:08.320
in your calls for input and you know the various procedures on not just the cyber resilience

27:08.320 --> 27:12.800
act but also the AI act and and the interrupt will you're back to the data act and the DMA and the

27:12.800 --> 27:18.800
DSA and all these different things and so it's some of the we you know we still have to improve

27:18.800 --> 27:23.120
by you know by growing the pool of people working on these topics and then we also have to improve

27:23.120 --> 27:27.600
but by just working on our efficiency and making sure that we're coordinated and sharing information

27:28.560 --> 27:30.560
so

27:30.560 --> 27:37.680
so one of the things that i think is important message and for for a conference like this is that i have

27:37.680 --> 27:44.320
how can people help so funding is always you know massively important but that's a complete

27:44.320 --> 27:49.200
different slide deck i don't have the all those slides so that's not the focus of this presentation

27:49.200 --> 27:57.200
but when people do want to participate in the these various procedures I would say

27:57.680 --> 28:02.000
you know because on one hand you know we're we're really enthusiastic about having more people

28:02.000 --> 28:06.240
involved but on the other hand you know we do have limited resources and so when we're trying to

28:06.240 --> 28:13.120
onboard or help people to get involved you know it does help a lot if people come already prepared

28:13.120 --> 28:17.920
or if people have you know some kind of commitment to actually stay involved

28:18.880 --> 28:24.080
the policy work that was done by the free software ecosystem up until about five years ago

28:24.160 --> 28:29.920
was often done by individuals who took an interest and so there's a lot of particular managers

28:29.920 --> 28:34.880
of you know CEOs who would see something and they say this is absolutely critical and they

28:34.880 --> 28:40.640
work on it for two years and then once it gets finished they go back to their their real jobs

28:40.640 --> 28:46.640
and you know they often did fantastic work but the knowledge they got gained during the work

28:46.640 --> 28:51.360
they did on an entire cycle of legislation then just you know disappeared and then for the next

28:51.360 --> 28:56.960
cycle of legislation we get to start from scratch again so it is it's a very positive thing

28:56.960 --> 29:04.400
that we now have policy people we even a recent years it's growing a lot I think in 2022 we

29:04.400 --> 29:10.720
had three people in Brussels for various organizations we now have I think roughly 11 people

29:10.720 --> 29:15.840
in you know spread across the different organizations and so the everyone else's slides

29:15.840 --> 29:20.560
had a banner along the top which had the logos of all the organizations that are involved

29:20.640 --> 29:25.760
in organizing this devroom that's pretty much the group of organizations that also has people in Brussels

29:25.760 --> 29:33.760
so there are the people that I think at the end of this so the so we're happy to have people join

29:33.760 --> 29:39.680
out we don't always have much in terms of resources for onboarding people but so if you can come

29:39.680 --> 29:46.240
with the you know a bit prepared or at least you're ready to stay involved that's great

29:47.200 --> 29:52.000
in a lot of cases joining many of these organizations like for example the open regulatory

29:52.000 --> 29:57.680
compliance working group for many categories in particular for small entities and for self-referendations

29:58.320 --> 30:04.640
as far as I know joining is free and you know we're happy to have a communication and interaction

30:04.640 --> 30:08.960
with these entities and we're also happy to have logos on the website so we can show

30:09.600 --> 30:14.320
this you know these are the people that we're working with and it shows the the European

30:14.400 --> 30:20.880
institutions as well that we are representing an larger group and we're in communication rather than

30:20.880 --> 30:31.200
just the narrow interests of of Warner or one sector so the I'm just coming quickly back to the

30:31.200 --> 30:38.640
topic of of the rest of the world so this is something that we don't really have people working on

30:38.640 --> 30:47.200
because it's it's complicated and it takes it requires a network that takes years to make so

30:47.200 --> 30:54.320
the the worst case scenario would be if the rest of the world looked over and said this is a

30:54.320 --> 31:00.880
fantastic idea that's also have cyber security regulation and then developed their own

31:00.880 --> 31:06.400
regulation with the same objectives as the CRA however with you know a completely tailored

31:06.720 --> 31:13.200
set of obligations so if this would happen we would have for example 10 different countries or

31:13.200 --> 31:20.080
regions with imagine each one of the 10 different obligations in their law a lot of companies will

31:20.080 --> 31:25.600
then not be able to comply with all 10 laws and then you'll find companies that are focusing on

31:25.600 --> 31:30.080
okay I'm I'm commercializing myself for a Europe or I'm commercializing in Asia and therefore I

31:30.080 --> 31:37.440
focus on you know these these subsets and you know this then means that you're doing more and more

31:37.440 --> 31:43.200
work to comply with Japan and South Korea and India but you're actually ending up being able to

31:43.200 --> 31:47.680
distribute fewer of your countries because if you focus on the Asian countries and some of the

31:47.680 --> 31:52.240
else is focused on the European countries then no big combined those two software packages and

31:52.240 --> 31:57.680
create a you know a larger product because you wouldn't have the the compliance documentation

31:58.080 --> 32:05.840
that covers both regions so that would be the worst case scenario and to to to counter the effort to

32:05.840 --> 32:10.880
reduce the risk of ending up in that scenario this is also this comes back to the idea of voluntary

32:10.880 --> 32:17.040
compliance and even enthusiasm and enthusiastic compliance if we can develop a system that

32:17.040 --> 32:22.480
ticks the box and the CRA and also makes everyone happy that they are working on something useful

32:22.640 --> 32:28.880
and increase inside this security then it's a lot easier to go back to the other governments of the

32:28.880 --> 32:33.520
world and say you know here's a system that really works maybe you can put this into your your law

32:35.600 --> 32:41.840
in general it's it's not pill battle because countries often don't like being recommended to

32:41.840 --> 32:46.640
copy what some other countries don't everyone likes to do their own thing and so we have to find

32:46.640 --> 32:52.240
different ways to convince them that staying compatible would be a good idea and so if everyone

32:52.240 --> 32:56.720
would adopt something similar to the CRA that would be one way of doing it but not everyone

32:56.720 --> 33:01.600
will like every part of the CRA but maybe we can ask other company and countries to consider

33:01.600 --> 33:08.080
it take the bits of the CRA that you do like and implement that and then that that confirms

33:08.080 --> 33:12.080
each country's autonomy and choosing their their legislation but you know we end up with something

33:12.080 --> 33:17.040
that's compatible and we can still do you know one procedure for compliance and then commercialize

33:17.120 --> 33:22.960
and distribute everywhere. A second possibility is mentioned in the CyberZilings Act is called

33:22.960 --> 33:30.240
a mutual recognition agreement and by this we would we could have completely different laws but we

33:30.240 --> 33:36.000
could sign an agreement with for example South Korea say and to say if companies in your country

33:36.000 --> 33:42.480
follow your law then we accept that as also taking the boxes CRA and countries in countries following

33:42.480 --> 33:48.400
the CRA you accept that as taking the box for for your law. I've heard this is more difficult than

33:48.400 --> 33:54.720
it sounds because you then need agencies set up in the other country to verify that the laws

33:54.720 --> 33:59.120
being applied correctly and I haven't looked into the details but it's not just because it's mentioned

33:59.120 --> 34:08.800
in the CRA doesn't mean you can actually implement it easily at all. Then another possibility

34:08.800 --> 34:15.600
would be if we do develop our own procedure and it's wildly popular and effective then maybe when

34:15.600 --> 34:21.040
the CyberZilings Act is being updated in 2030 maybe it could be added into the CyberZilings Act

34:21.040 --> 34:27.280
that you can follow the traditional CRA program or you know this other thing that's working

34:27.280 --> 34:32.160
very well and you know we'll accept that so this is another another way that it could be

34:32.160 --> 34:41.440
be on in a global scale. So with that I'm then I think I've got just five or six slides but I'm

34:41.440 --> 34:46.080
not going to actually go through the details. The reason I put these slides together is to show

34:46.080 --> 34:54.960
the type of files we're working on starting this month and last month. So the European

34:54.960 --> 35:00.880
Commission generally has a five year cycle and the first year I spent on asking people there for

35:00.880 --> 35:05.920
info about maybe should be done the second year which we're now entering is when they start publishing

35:05.920 --> 35:11.920
actual proposals and then we have to do more substantial work to you know create unified positions

35:11.920 --> 35:18.720
on what's a good idea. So stuff we're working on at the moment is does the EU long-term budget

35:18.720 --> 35:23.360
and within that is the European Competitiveness Fund which is where a lot of funding for for the

35:23.360 --> 35:28.160
the Free Software Programs of the European Commission will probably come from. Does the DC edic

35:28.160 --> 35:33.520
and digital commons there's a new and accelerating industry actor to have it looked into and

35:33.520 --> 35:41.360
there's a gore EU for a public sector then there's a big call for input on

35:41.360 --> 35:46.240
open digital ecosystems which you may have heard of and the deadline for that is Monday midnight.

35:46.240 --> 35:51.840
So that is a document to make a strategy for how the European Commission would use free software

35:51.840 --> 35:57.680
internally and also how to support the the private sector ecosystem outside so that Europe gets

35:57.680 --> 36:03.840
maximum benefit from fast. So does that does a public procurement director's cloud narrative

36:03.840 --> 36:10.480
outlet is also public procurement? We have then what's the private sector is the EU chipsack

36:10.480 --> 36:15.520
to the EU quantum there's also lots of AI factories and an interest in wanting to interrupt

36:15.520 --> 36:20.320
but Europe act those from the last three years but once again there's a there's a council and a

36:20.320 --> 36:25.520
community and we can participate in it if we can find people to take the time to do so.

36:26.000 --> 36:32.880
On AI there will of course be a new legislation. In implementing the AI act will be

36:33.680 --> 36:39.600
quite quite difficult it's not it's comparable in many ways since I was it in fact but

36:39.600 --> 36:46.400
there will there could be a new legislation on AI liability which has lots of interesting

36:46.400 --> 36:52.080
questions and then there will also probably be a revision of the copyright directive and that is

36:52.160 --> 36:55.520
probably going to turn into a talk of war between the technology and the culture sectors

36:55.520 --> 37:02.960
about whether copyright should be able to limit the development of AI models. That would be big.

37:04.720 --> 37:10.880
So then on mark and regulation and security we still have implementing the Cyber Zealand Act

37:10.880 --> 37:15.840
we have the Cyber Security Act is an interesting one that was published two weeks ago and so

37:15.840 --> 37:22.000
this will deal with things like supply chains which are always complicated because

37:22.480 --> 37:27.440
a lot of legislation considers supply chains in a very traditional sense which are kind of

37:28.160 --> 37:32.880
unidirectional but in the free software context we often have supply chains that

37:32.880 --> 37:38.160
or people downstream can become the suppliers or the customers of people upstream and

37:38.160 --> 37:42.720
people end up looking like they're in supply chain without even realizing that the supply chain exists

37:42.720 --> 37:48.480
and so that's a lot of work we have to do to ensure that these piece of legislation are

37:49.440 --> 37:55.120
you have a sense of outcome when applied to free notes or software and then there's just

37:55.120 --> 37:59.280
I wasn't able to categorize everything into five categories so then there's still the

37:59.280 --> 38:06.560
as mentioned standardization regulation the digital networks act and an expert group on

38:06.640 --> 38:19.680
encryption. So that's the new wave of legislation the massive amount of work that we have.

38:20.400 --> 38:23.520
The work that we did in the Cyber Zealand Act was very useful because it helped us to

38:25.360 --> 38:34.080
to realize bit of urgency and to convince some foundations and companies that they need to have a

38:34.080 --> 38:41.360
policy personally to engage in a sustained way and so as I mentioned in 2022 we had three

38:41.360 --> 38:48.400
people in Brussels there's now roughly 11 so as I mentioned the the other slides have five or

38:48.400 --> 38:54.960
no so they've got nine or eleven logos along the top and those are the other organizations that

38:54.960 --> 39:01.520
are also doing fantastic work on all these topics and so it's it's very much it's a it's a group

39:01.520 --> 39:11.360
effort but it's also it's a group that's growing visibly by the year. Most of the work that

39:11.360 --> 39:17.680
e-tips is doing on Cyber Zealand Act is for the open regulatory compliance working group so this is

39:17.680 --> 39:26.480
the website and QR code for small projects as far as I remember it's free to join we would

39:26.480 --> 39:32.800
be delighted to have your input your feedback on whether the work we're doing is as useful as we

39:32.800 --> 39:40.400
hope it is for you we'd like to hear more about what needs are of small entities and how we can

39:40.400 --> 39:46.720
possibly interact with your being commissioned and other agencies to encourage them to help

39:47.280 --> 39:55.120
in a way this is good for everyone but in particular smaller entities. With that I think I've got

39:55.200 --> 40:19.360
two and a half minutes if anyone has a pressing question thank you very much Karen I have one question

40:19.600 --> 40:29.280
theory how's that very good like this how's the CRA applying and helping a maintainer which is

40:29.280 --> 40:37.760
not backed by organizations and is software or software is widely used the CRA is effectively going to

40:37.760 --> 40:45.120
block that software from being used by organizations isn't it how can the because my question is how can

40:45.120 --> 40:54.240
that maintainer comply to all those security regulations. Well generally the maintainer won't

40:54.240 --> 41:00.080
have to comply if the if the maintainer is not part of a company that's commercializing then they

41:00.080 --> 41:04.000
probably won't have to comply and usually the company that is commercializing hopefully they will

41:04.000 --> 41:09.280
have the finances to be able to work on compliance but I see Simon seems to be

41:15.520 --> 41:24.640
okay I've deployed an expert on that one for you excellent yes thanks Simon you could probably

41:26.160 --> 41:36.000
you could do one more yeah no one of the back ones need to run up there no I think you're done

41:36.000 --> 41:53.200
we don't have a question but I want to add to CRN's message we want to know can do to help you

41:53.200 --> 42:00.080
I'm working for the ORC League to produce training materials that will be freely available

42:00.160 --> 42:08.480
on the topic of CRA if you have any ideas or questions or things you need in your

42:08.480 --> 42:14.240
organization please tell one of us or team over here thank you