Dear DPL candidates, As you may be aware, the EU has adopted a new cybersecurity regulation [CRA] and other countries are following the example. You may also be aware that Debian issued a public statement about it (based on a previous draft version of the regulation) last year. CRA will have an impact on commercial Debian downstreams, specifically on all of those who are placing a Debian-inside product in the EU single market. Part of the requirements rely on data that should be found in every single package integrated by the commercial downstream. And, as of today, part of that data is non existing. E.g.: include (meta)data about the support status upstream (supported, non-supported version, EOS date, ..., required for Article 13 (11)). Also manufacturers are required to "apply effective and regular tests and reviews of the security of the product with digital elements" (Annex I pII (3)). Non-commercial FLOSS products/projects do not have to comply with CRA. However, I think there could be an impact in the industry regarding the adoption and use of Debian. What are you thoughts on the subject?
Right now I do not have a lot of idea about CRA and its impact, but I would say what I think about downstream distros. Since in Debian, we do not want to discriminate between commercial and non-commercial adaptations, I do think that we should look into the issue and see if there is any way that Debian can help out. For this, we need to study in detail about CRA, may be take help from lawyers and explore possibilities.Should Debian help those commercial downstreams to fulfill the requirements?
[CRA] https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html Thanks for running for DPL to both of you! -- Santiago
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature