Also, to avoid "dangerous" not yet professional amateurs having a chance against big editors.
Courts and regulators, particularily European ones, understand when there's a "will" to follow the law. It's one of the differences between "rules-based" and "principles-based" regulations.
Not too bad really.
[1] https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-...
Lots of big players are already providing shit software to millions of customers especially through government contracts because they've hired armies of legal and sales teams, squashing the little guy in the process.
If just providing some small web service built on top of open source now requires hiring a huge legal team, well goodbye to any entrepreneurship.
I know this because i've seen big players win contracts over actually talented people 9 of 10 times because they can play this regulation game, and i've seen small companies burn 100s of thousands in consultancy fees over GDPR that made zero difference for their Wordpress setup that a talented coder could have used 10 hours to fix.
That said the intentions are good, but for some reason EU thinks small players should have the same extreme measures as Facebook, Google, ie the actual reasons this regulation was made in the first place. Bizarre.
- If you run a commercial kitchen on your own (or, let's say, with a staff of 2-3 people), can you ignore the food safety regulations? The fire regulations?
- If you run a one-man plumbing company, can you ignore safety regulations? Water regulations? Sewage regulations?
etc.
Why is it than when it comes to "commercial software" it is inevitably "oh my god these laws are so hard, why should I as one-man company be forced to comply with them". Because that is literally your job.
Follow best practices and demonstrate that you care goes a long way (that has been demonstrated time and time again in courts throughout the union).
Also it differentiates between what kind of product you are building (see the annexes).
Most of the requirements (look them up) are best software dev practices unless you are in one of the specific "critical" categories of products.
Then, to be honest I don't really care that you are a one person (commercial) shop when my car gets steered off the road because of a preventable security hole.
- There are rules, and clear established practices that allow you to follow these rules. In software the rabbit hole goes so deep that your average developer cannot even be aware of all the risks.
- You do not have to rely on millions of lines of code you have no control on.
As a simple example, if you are using network communications, you are probably using OpenSSL, GnuTLS or one of the few other TLS implementations. All of them have regular security issues, and simply selling support on an Open Source software you built using one of them will make you liable for these issues. There is no choice: you need TLS, and you're not going to implement it yourself. What are you supposed to do?
The fact that a solo developer selling 100€/month of support is treated the same way than a billion dollar company demonstrates the complete insanity of this act.
But they're not treated the same way. Both by the law itself and the standards courts and regulatory agencies use throught Europe.
As I read it, and with the caveat that the exact requirements are not yet determined: You will need a SBOM stating you use openssl, and how you plan to update openssl if it contains security bugs.
Update: found it, paragraph 46a: In relation to small and micro enterprises, in order to ensure proportionality, it is appropriate to alleviate administrative costs without [...]
Look at everything that is included (VPN, OS, anything related to security,...). This regulation forces to have full declaration of the identity of the editor/manufacturer and more. Any other product that is not under the control of the authority will be illegal.
The regulations are designed to deepen the software moat, and security theater, and I say this as an InfoSec professional.
IANAL but Annex III Class 1.2 states: "Standalone and embedded browsers" which would implicate every electron app. Class 1.5 states: "Products with digital elements with the function of virtual private network (VPN)" is so vague it could apply to video game chat messages.
The problem with regulations like this is they're so vague and will be selectively enforced. They won't affect Big Corp but will affect small business and solo developers.
I don't follow how rules for software with VPN functions could apply to a video game chat, but as with all laws intend and interpretation matters. Successfully convincing a judge that your game chat is a Class I critical product is unlikely.
I also don't think that the CRA is too vague. Rules that are too specific will just be circumvented. Enforcement works like any other market rule. You can sell all sorts of non-compliant products in the EU but if you are found out you pay a fine. It won't be any different with the CRA.
Regulations can make sense for software that could cause physical harm - like the software in an implanted medical device - but most software doesn't fall in that category. The CRA is about "security" not about "physical harm" - they are two different things. Regulations for the latter would likely receive less pushback.
Your distinction is without meaning
If you cook for your friends, but then decide to open a commercial kitchen, do you think you will be exempt fromfood safety regulations?
A recall was issued therefore there is already regulatory oversight where it counts. The CRA is at best redundant and at worst a prime example of regulatory capture [1].
Just because a recall was issued doesn't imply that there's a regulatory oversight. And even that oversight exists in that particular case doesn't mean it is applicable to other areas.
What it does mean is that you're weak attempt to paint software being exempt because it "doesn't lead to food poisoning" is weak and uninformed at best.
> The CRA is at best redundant
It's not
> at worst a prime example of regulatory capture
Again, it's not.
Just because you engage in FUDing, doesn't make your words true.
First you tried to pretend that software is somehow different because it "doesn't do any physical harm".
I addressed that directly with a very specific example of physical harm.
(Besides, there are many more concerns beyond just physical harm, and my example of food poisoning was just an example that you must follow safety regulations even if you're a "one-person" company)
So your next counter-claim was a non-sequitur that "since it was recalled it means that there are regulations" which doesn't make sense even logically, which I addressed as well.
And the rest is just unsubstantiated claims that the law is redundant at best and bad at worst which is pure FUD.
How's that for good faith argument?
With this, I remove myself from this discussion. Adieu.
You're trying to carve out an exception for you yourself specifically because you assume that your special case is too special.
1. Laws don't usually work that way
2. There are innumerable cases when "innocuous" software is used as an attack vector precisely because "we don't do nothing why would we keep our software secure"
3. In EU you're safe until you really screw up. More discussion in this thread: >>38819780