CRA - draft Implementing Act and corresponding Annex
Dear Maarten and colleagues Thank you for sharing some of your feedback here on the list. Having seen no volunteers on the list to join you just as yet, and as the deadline for the comments is approaching, perhaps, the co-chairs could draft a statement, based on your list of concerns, and relate it as a feedback to the current draft? The feedback itself should not represent any commercial interests or interest of any manufacturer but precisely comment on the broadness of the terms used such as “network management system”. We would of course, run the draft by our members to see if there’s any objection or support for it. Desiree — RIPE Coop WG Co-chair
On 28 Mar 2025, at 15:27, Maarten Aertsen <maarten@nlnetlabs.nl> wrote:
Thanks Romain, hi list,
On Mon Mar 17, 2025 at 11:52 CET, Romain Bosc wrote:
For those following the CRA, the European Commission has published the draft Implementing Act and corresponding Annex, including the technical description for the categories of important and critical products with digital elements:
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14...
The draft is open for feedback until April 15. The final version of the Act is due to be adopted by the European Commission by 11 December 2025 (Article 7, CRA).
I have looked at the Annex, which provides "technical descriptions" for a number of product categories in wide use in the RIPE community: VPNs, "network management systems", "Public key infrastructure and digital certificate issuance software", and "Physical and virtual network interfaces" and "Routers, modems intended for the connection to the internet, and switches".
Depending on how these product categories will be scoped by the EC in these technical descriptions, *Manufacturers* face a higher or lower burden when performing conformity assessment under the CRA.
I believe some of these descriptions lead to unexpected outcomes and I wonder if there's others on this list interested to cooperate on a bit of analysis and file a joint comment if we find something to contribute. If so, let me know.
kind regards, Maarten
Two examples to provide some flavour of what this document entails:
The category of
6. Network management systems
is described as
Products with digital elements that collect information about and allow the configuration of network elements, such as servers, routers, switches, workstations, printers or mobile devices. This category includes but is not limited to network management systems that can be deployed on premise or on cloud.
It appears to me that this broad description would include many networking products, including say a software implementation of the ARP protocol to map IP addresses to MAC addresses on common LAN networks, because it collects such mappings, thereby collecting information about and by doing so configuring network elements. That's perhaps theoretical. But what about a DHCP product? BGP? Authoritative DNS? Are these all intended to be scoped as a "network management system", an "important product" in the context of the CRA?
I had always expected the category of "network management systems" to be about centralized frequency scheduling in mobile networks, optical configuration for cable systems or other centralized control plane management software, but I guess we'll find out.
---
The category of
Public key infrastructure and digital certificate issuance software
is described as
Products with digital elements used as part of a public key cryptography scheme to manage asymmetric cryptographic keys and digital certificates, including their creation, issuance, distribution, validation, renewal, storage or revocation. This category includes but is not limited to key management systems, digital certificate management systems and online certificate status protocol responders.
Here, I wonder if the use of the words "validation", "storage" and "distribution" broaden it so much it would even include the relying party side of a PKI, ie. the side that does not commonly handle private key material.
P.S.
For those that have followed along about open source software scoping of the CRA; the above is orthogonal to that topic, because only 'Manufacturers' (those that make their product available on the market in a commercial activity) face the obligation to perform conformity assessment. Many open source projects will either be out of scope entirely, or considered to be an 'open source software steward'. Finally, for Manufacturers that release their product as open source software, there is the option of publishing technical documentation and thereby being allowed to follow the regime for normal products.
-- Maarten Aertsen senior internet technologist, NLnet Labs ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/cooperation-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
participants (1)
-
Desiree Miloshevic