- Edri-cra-discussion - mailman.edri.org

Fwd: Comments for article on Cyber Resilience Act [Wednesday]
by Jan Penfrat (EDRi) 14 Oct '24

14 Oct '24

Dear all, Does anyone feel like responding to a (friendly) journo request on the CRA for German newspaper Tagesspiegel? Deadline for comment/interview is Wednesday. Please say yes to the list to that others know you are taking it. Thank you! Jan -------- Forwarded Message -------- Subject: Comments for article on Cyber Resilience Act [Wednesday] Date: Fri, 11 Oct 2024 09:24:00 +0200 From: Maximilian Henning <max(a)maxhenning.eu> To: shubham.kaushik(a)edri.org Hi Shubham, Maximilian here. I'm currently writing an article for Tagesspiegel Background on the Cyber Resilience Act passing through it's last hurdle yesterday and am looking for comments. In case EDRi has any opinions on the CRA, I'd be happy to include them in my piece, especially regarding a few questions: 1. What do you think will be the effect of the CRA? 2. Are there any changes you still would have liked to see in the law? 3. How well do you expect enforcement in the member states to work? 4. Do you think there will be any upcoming conflicts? 5. Is there any topic adjacent to the CRA that you would like to see the EU become active on? In case you do have any comments, I'd be glad about a response until Wednesday. Looking forward to your answer, Maximilian Henning -- Maximilian Henning Freelance journalist Website: maxhenning.eu Mail:max@maxhenning.eu Phone: +49 176 94911677 Mastodon: darmstadt.social/@zarasophos

2 2

Commission is calling for a Cyber Resilience Act expert group
by Walter van Holst 11 Oct '24

11 Oct '24

https://digital-strategy.ec.europa.eu/en/news/call-applications-cyber-resil…

1 0

New Council text
by Walter van Holst 11 Oct '24

11 Oct '24

See attached document. Council has voted this in. Regards, Walter

1 0

Shutting down the CRA mailing list?
by Jan Penfrat (EDRi) 10 Oct '24

10 Oct '24

Dear CRA list members, We are currently cleaning out our 50+ EDRi mailing lists and I have been wondering if this list is one of those that can be closed. Please let me know if that sounds OK for you or whether you would like to keep this channel to continue exchanging info about the CRA. If I hear no objections *by Monday, 21 October*, I will proceed to close this list. Thanks! Jan -- JAN PENFRAT (he/him) Senior Policy Advisor Mobile/Signal: +32 470 839 044 Matrix: @jan:penfrat.net EUROPEAN DIGITAL RIGHTS www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> /Working days are Monday-Thursday/ <https://edri.org/edri-visions-for-digital-futures/>

2 2

Final CRA is OK isn't it?
by Jan Penfrat (EDRi) 12 Mar '24

12 Mar '24

Hi all, Sorry this list has fallen silent a bit. The final CRA is going to be approved in Plenary soon and I as wondering if we all agree with what most of the FOSS community has said about the result: that it is OK. I understand it's not great and in particular wrt security updates we would have wanted more, but is it correct to tell people who ask that we're generally rather supportive of the CRA as it has been agreed, or at least that we don't have any major issues with it? Thanks for any issues you'd like to flag! Jan -- JAN PENFRAT (he/him) Senior Policy Advisor Mobile/Signal: +32 470 839 044 Matrix: @jan:penfrat.net EUROPEAN DIGITAL RIGHTS www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> /Working days are Monday-Thursday/ <https://edri.org/take-action/stay-up-to-date-with-edris-newsletters/>

3 4

CRA trialogue
by Walter van Holst 01 Dec '23

01 Dec '23

Apparently there is progress on the Cyber Resilience Act: https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-re…

1 0

Reducing EDRi office engagement on CRA
by Diego Naranjo 24 Oct '23

24 Oct '23

Dear all, As you have not doubt noticed, there has been less engagement on the Cyber Resilience Act (CRA) from EDRi office side these past weeks. The first reason is that in order to stem the attention required for the *large number of policy processes Jan is currently following* (DMA and DSA enforcement, Health Data Spaces, Net Neutrality and EDRi IT needs). In addition to our workload, there is a *larger number of stakeholders working on CRA compared to other pieces of legislation*, especially in the areas of free software exemption, vulnerability handling, and security patch periods... Because of both reasons, we decided to de-prioritise our work on the CRA for the time being. Jan will participate in one last speaking event on a Microsoft-led panel on vulnerability handling on Thursday morning at 9am and then *he will be on parental leave in November and December*. In the meantime, please contact me directly for any immediate questions or actions EDRi should be involved in regarding the CRA. Once Jan is back from his leave in January, and following the (upcoming EDRi) office and EDRi network discussions on the EDRi office 2024 work plan, we can re-discuss what kind of priority we can allocate to this file. I hope this will work for you. Jan and I thank you for your understanding for this kind of difficult decisions. Any feedback is of course most welcome! Best regards, Diego -- DIEGO NARANJO Head of Policy EUROPEAN DIGITAL RIGHTS www.edri.org <https://www.edri.org>| @_DiegoNaranjo <https://twitter.com/_DiegoNaranjo>| Phone: +32 489 229 779 (Signal/WhatsApp) *From July 2023 EDRi is trialing a four-day week. Our working days are Monday-Thursday*

1 0

Vrijschrift to Dutch Parliament: EU Cyber Resilience Act will harm competitiveness
by Ante Wessels 09 Oct '23

09 Oct '23

Dear all, Vrijschrift to Dutch Parliament: EU Cyber Resilience Act will harm competitiveness The EU Cyber Resilience Act (CRA) proposal aims to make products containing software and software itself more secure. [1] This objective is endorsed by Vrijschrift. The Minister of Economic Affairs and Climate has written to the Senate that concerns regarding open source software have been “extensively addressed” by means of a recital. However, recitals do not have independent legal force; the amendments of the Council of the EU are ineffective. The CRA, if adopted in this form, will seriously harm the open source ecosystem and the competitiveness of the European economy. https://www.vrijschrift.org/serendipity/index.php?/archives/262-Vrijschrift… kind regards, Ante

2 2

Status? Timelines
by Walter van Holst 26 Aug '23

26 Aug '23

Hi all, Do we know what opportunities are left for amendments? What the timelines are now? Regards, Walter

2 1

[Sign-on] Open letter on vulnerability disclosure in the CRA
by Jan Penfrat (EDRi) 12 Jun '23

12 Jun '23

Dear EDRis, Thank you for allowing me to cross-post this so everyone has seen it: While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-…> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities. Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits. I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*. Please also let me know should you have any major concerns with the draft letter. Thanks a lot! Jan -- JAN PENFRAT SENIOR POLICY ADVISOR EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76 www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>

5 6