Thanks Romain, hi list, On Mon Mar 17, 2025 at 11:52 CET, Romain Bosc wrote:
For those following the CRA, the European Commission has published the draft Implementing Act and corresponding Annex, including the technical description for the categories of important and critical products with digital elements:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14...
The draft is open for feedback until April 15. The final version of the Act is due to be adopted by the European Commission by 11 December 2025 (Article 7, CRA).
I have looked at the Annex, which provides "technical descriptions" for a number of product categories in wide use in the RIPE community: VPNs, "network management systems", "Public key infrastructure and digital certificate issuance software", and "Physical and virtual network interfaces" and "Routers, modems intended for the connection to the internet, and switches". Depending on how these product categories will be scoped by the EC in these technical descriptions, *Manufacturers* face a higher or lower burden when performing conformity assessment under the CRA. I believe some of these descriptions lead to unexpected outcomes and I wonder if there's others on this list interested to cooperate on a bit of analysis and file a joint comment if we find something to contribute. If so, let me know. kind regards, Maarten Two examples to provide some flavour of what this document entails: The category of
6. Network management systems
is described as
Products with digital elements that collect information about and allow the configuration of network elements, such as servers, routers, switches, workstations, printers or mobile devices. This category includes but is not limited to network management systems that can be deployed on premise or on cloud.
It appears to me that this broad description would include many networking products, including say a software implementation of the ARP protocol to map IP addresses to MAC addresses on common LAN networks, because it collects such mappings, thereby collecting information about and by doing so configuring network elements. That's perhaps theoretical. But what about a DHCP product? BGP? Authoritative DNS? Are these all intended to be scoped as a "network management system", an "important product" in the context of the CRA? I had always expected the category of "network management systems" to be about centralized frequency scheduling in mobile networks, optical configuration for cable systems or other centralized control plane management software, but I guess we'll find out. --- The category of
Public key infrastructure and digital certificate issuance software
is described as
Products with digital elements used as part of a public key cryptography scheme to manage asymmetric cryptographic keys and digital certificates, including their creation, issuance, distribution, validation, renewal, storage or revocation. This category includes but is not limited to key management systems, digital certificate management systems and online certificate status protocol responders.
Here, I wonder if the use of the words "validation", "storage" and "distribution" broaden it so much it would even include the relying party side of a PKI, ie. the side that does not commonly handle private key material. P.S. For those that have followed along about open source software scoping of the CRA; the above is orthogonal to that topic, because only 'Manufacturers' (those that make their product available on the market in a commercial activity) face the obligation to perform conformity assessment. Many open source projects will either be out of scope entirely, or considered to be an 'open source software steward'. Finally, for Manufacturers that release their product as open source software, there is the option of publishing technical documentation and thereby being allowed to follow the regime for normal products. -- Maarten Aertsen senior internet technologist, NLnet Labs