Note sure if this is worthy of a post here, but maybe it is. After some controversial attempts lead by Hungary in the European Parliament to introduce mass-surveillance in the EU with its Chat Control proposal (which is still under discussion, but even the dutch spy agency issued a statement that they oppose it), the EU has passed a law that seems rather positive: enforcing security requirements for digital products that are networked.
If I understand it right, it excludes open-source software. As expected, lobbyists introduced exceptions for certain sectors (medical, cars, aircrafts). I think it is a self-certification process, but also includes publishing:
Software Bill of Materials (SBOM)
Vulnerability disclosures
Haven’t looked too much into the text itself. But overall, I think it is a good thing that we don’t have hundreds of computers and internet-connected devices without know what software they run and what they are vulnerable to.
In my understanding, this might be the first law adding blanket regulation for software running on consumer devices. I believe that Robert Cecil Martin predicted this, when he said that we as computer scientists are rather privileged in that there is no blanket rigorous process we have to follow to build stuff, the way that engineering has. And if we don’t make sure that the stuff we build is safe, we will be increasingly subject to regulation.
I have queued reading the regulation document for the weekend (“yay”) over Hang Gan (as per tradition of poking at Nobel price winners), as there will be undoubtedly some contracting opportunities for quick assessment as to actions for compliance:
A body belonging to a business association or professional federation representing
undertakings involved in the design, development, production, provision, assembly, use or
maintenance of products with digital elements which it assesses, may, on condition that its
independence and the absence of any conflict of interest are demonstrated, be considered to
be such a third-party body.
and
A conformity assessment body, its top level management and the personnel responsible for
carrying out the conformity assessment tasks shall not be directly involved in the design,
development, production, import, distribution, the marketing, installation, use or
maintenance of the products with digital elements which they assess, or represent the
parties engaged in those activities. They shall not engage in any activity that may conflict
with their independence of judgement or integrity in relation to conformity assessment
activities for which they are notified. This shall in particular apply to consultancy services.
A quick skim for open source maintainer implications, it seems that page 15 narrows the affected targets quite a bit:
“For instance, the mere fact that an open-source software product with digital
elements receives financial support from manufacturers or that manufacturers contribute to
the development of such a product should not in itself determine that the activity is of
commercial nature. “
there will be undoubtedly some contracting opportunities for quick assessment as to actions for compliance
Are you saying that this is the time to hop on over to LinkedIn and spam any company that sells internet-connected consumer devices in the European Union with offers for consultancy services to fulfill the requirements?
It might actually be a way for nerds like us to get in, properly audit their stuff and fix some gaping vulnerabilities. I am secretly hoping that members of the CCC or similar hackerspace organizations get together and offer these services.
How do they define “digital elements” if they need to specify “software product with digital elements”? That sounds redundant under the common meanings of those words.
the “software” is the part thats being more specific in that case, as a subtype of “product with digital elements” which the overall thing is about, given as
‘product with digital elements’ means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;
And legalese will use the full established term when possible instead of taking a shortcut.
Note sure if this is worthy of a post here, but maybe it is. After some controversial attempts lead by Hungary in the European Parliament to introduce mass-surveillance in the EU with its Chat Control proposal (which is still under discussion, but even the dutch spy agency issued a statement that they oppose it), the EU has passed a law that seems rather positive: enforcing security requirements for digital products that are networked.
If I understand it right, it excludes open-source software. As expected, lobbyists introduced exceptions for certain sectors (medical, cars, aircrafts). I think it is a self-certification process, but also includes publishing:
Haven’t looked too much into the text itself. But overall, I think it is a good thing that we don’t have hundreds of computers and internet-connected devices without know what software they run and what they are vulnerable to.
In my understanding, this might be the first law adding blanket regulation for software running on consumer devices. I believe that Robert Cecil Martin predicted this, when he said that we as computer scientists are rather privileged in that there is no blanket rigorous process we have to follow to build stuff, the way that engineering has. And if we don’t make sure that the stuff we build is safe, we will be increasingly subject to regulation.
I have queued reading the regulation document for the weekend (“yay”) over Hang Gan (as per tradition of poking at Nobel price winners), as there will be undoubtedly some contracting opportunities for quick assessment as to actions for compliance:
and
A quick skim for open source maintainer implications, it seems that page 15 narrows the affected targets quite a bit:
Are you saying that this is the time to hop on over to LinkedIn and spam any company that sells internet-connected consumer devices in the European Union with offers for consultancy services to fulfill the requirements?
if they do IoT, want their CE stamp and you’re not allergic to money, yes. Some opportunists I know are doing just that.
It might actually be a way for nerds like us to get in, properly audit their stuff and fix some gaping vulnerabilities. I am secretly hoping that members of the CCC or similar hackerspace organizations get together and offer these services.
How do they define “digital elements” if they need to specify “software product with digital elements”? That sounds redundant under the common meanings of those words.
https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdf doesn’t seem to define the phrase “digital elements” before using it.
the “software” is the part thats being more specific in that case, as a subtype of “product with digital elements” which the overall thing is about, given as
And legalese will use the full established term when possible instead of taking a shortcut.