So a quick apologies to the people on the live stream.
What we just did was workshopping.
It was, in my idea, real fun and also real messy.
You couldn't see it on camera, but now the program will resume on camera.
And I'll hand back over to Toby, who will take you through it.
Wonderful. Thank you. Well, I thought that was fun.
I hope you enjoyed it too.
So now we're going to, each station, each group will have about five minutes
to talk on some of the key findings that they found
and share them also so that the live audience actually knows what people are concerned about,
what their hopes are, and what kind of solutions we want to.
So I'm going to invite, why don't we start with the, well, the PLD, is the PLD fine?
Yeah, I think that's fine.
Good luck.
Thank you.
Do you want me to go through quickly?
Yeah.
Okay, I think the good word is trust.
That's the main one.
The idea is really to bring the trust in new type of products, at least.
The alignment before the piece of legislation is a good wording.
I mean, as I explained from the beginning, the PLD applies to any type of product,
so it needs to be aligned in that sense.
And I think some people got the idea with the DMA because of the interoperability
that the DMA is introduced now.
And it's a bit of the idea also of the PLD that when you have hardware
and you can install different type of software, you also need to pinpoint
the reliability of the person.
That is a bit of the opening as well to these new possibilities.
I think, so for the fears, we have three types of, across at least two main ones,
the scope, I guess it's the, still the clarity of the scope for the commercial activity,
and the cheating effects that it could have on the community.
I mean, I can talk for the cheating effects, but that, again, we will have to see
exactly how it will work and how it will affect directly the community.
I cannot tell you in advance, I know that there are fears about that,
but that's also the reality.
And as I said, what we only did is to clarify the situation.
We did not change drastically the situation.
I know this is not what you will hear all the time, but the scope was like this already before,
but now has been clarified to his previous way.
So we will have to check for that.
For the scope itself and the commercial activity, again, I cannot tell you on each case
how the commercial activity applies.
What I can tell you is that the commercial activity is not always the same,
or at least the scope is not the same of the piece of legislation.
The PRD will not be applicable to certain products that the CRA does not apply to,
to make it another wording.
It's not because you're not covered by the CRA that you're outside of the scope,
that you will be outside of the scope of the PRD.
You might actually be.
So just to make it as clear as possible.
There was a good question on the open source silicon chips.
If I just remember which one put that question, and I will then get back to it just to understand a bit more.
But I would just go to the solutions.
There is a good call for guidance.
There is something that we call the blue guide that applies for every product in the union.
The blue guide, it's just a guidance, not a piece of legislation that can help market surveillance authorities to apply a legislation, definition, etc.
Could be a good way also to update it for software and specifically to open source software to make it more flexible and more adapted to that.
I think that's a very good point.
I would just use this time to give a short on the communication because there were some points about contractual liability or limiting the liability.
That's not possible.
There is no way that you can escape the product liability directive even by putting any type of clothes.
I'm sorry for that.
The piece of legislation is made for protecting the most vulnerable person.
So you cannot sell a product or you cannot provide a product by limiting it.
But what you can do is if you are a micro enterprise and someone wants to take your open source software, you can decide with him that you will not take over the liability in case something wrong happens.
And so basically if a victim goes to court against you, you will pay.
When I say you, let's not imagine yourself, but you as I say, you can just basically compensate and then you have your own agreement where you get back the compensation from the integrator.
And in the other situation around, if the victim goes against the integrator, the integrator then will not be able to go against you to claim part of the compensation that he gave.
So that's something that exists in possibility in contract.
Thanks.
I think we're good.
Yeah.
Wonderful.
Thank you.
Should we go next?
Do I talk or do you talk?
Do we do both?
Half-half?
That was a bad answer.
Hi everyone.
So on the workshop on the CRA standards, we have, I think, a lot of participation, a lot of thinking heads and a lot of fears in the beginning for sure.
Some hopes, which was nice to see.
And there was also nice to see the connection between the hopes and the solutions.
So I think with time we got to some solutions and I'll let the other moderator explain the solutions.
But I think in terms of how we organize the hopes and fears, there's things that the open source community should probably do and or that they should address.
There's things that the standardization development organizations need to address.
And there's things that the regulator needs to address.
And I think trying to figure out how we can collaborate and cooperate between this triangulation is going to be key moving forward.
So thanks very much for being here and I think we hope we can continue the conversation.
Thank you so much.
And sorry to put you on the spot.
Don't go away right now because you have not been introduced.
And so Felipe Jones-Mauw.
He is the standards person for the CRA at the comm, the EU commission.
And so you will, this is the person that you will be able to bug about these issues the most, right?
So thank you very much for being here and thank you for joining me and organizing this session.
This was great.
So in terms of solutions, we grouped them in a few sort of like topical clusters.
I think the ones that really stood out are open standards.
Like everyone's really concerned about like the process but also access to the actual output of those standards.
So I think this is going to be really critical.
Community organization is one that comes up fairly regularly too.
So how do we do this?
How do we structure ourselves as all of these different stakeholders in the open source community to participate in this is something that we need to work on.
Then there are requests about good EU guidelines.
I think like this is great.
So also requests for EU funding to help was, well probably organization and sending people to actually participate in these efforts would be for example great.
If I can shamelessly plug into that.
There's actually a call recently being accepted and a project starting called Cyberstand.
And their aim is to support the participation of experts in standardization efforts.
Also some other sort of auxiliary tasks around the standardization, the development of the standards for the CRA.
So I really encourage you to take a look at that and if you're interested in participating then that's probably an avenue for you to do that with some support.
Thanks.
So where can we actually reach out to for this?
The name of the project is Cyberstand.
So from there I hope you can.
So the answer is Google for the Cyberstand.
Search for Cyberstand sorry.
Or get in touch.
And lastly, yeah, so one of the things, well, this is great.
One of the points that came up is better access to policy makers while we're doing this right now.
And you know, it's a very accessible person.
So thank you very much.
And then some, well, EU-US mutual recognition of standard compliance.
So I care about this.
I think that's great.
And then a focus that we're more on actually doing the work of actually making the security better of software.
And also being able to do self attestation and have the integrators or the manufacturers fund some of the compliance and effort, which of course I believe that open source sustainability is very important.
So I'm all for this.
Wonderful.
Thank you very much.
Last stand.
Do you all want to come here?
Can we do this?
Oh, beautiful.
So in those two corners, it was more close to the text and close to close to specific aspects of the legislation.
Over in this corner, we were going from coming from the other end of the chain.
We're talking to people about where they are at the moment and their perception of what is happening, what could be better.
And so we looked at all the hopes and fears and hopes and fears are kind of the same thing.
You can hope that something will go wrong or you can fear that it will go wrong.
And so we bunched them together and we made a few different categories.
In general, there was a lot of discussion of funding, but we found this is a complex topic.
And so in funding, we have to think of specific suggestions rather than just increasing funding, make funding available to more smaller entities, remove the costs for certain things.
For example, having to buy a copy of standards.
And then we noted that participation in projects is also as good as funding projects.
So there are multiple ways to think of funding.
A second thing is procurement and procurement by the EU institutions can be good for supporting projects.
It can also be good for increasing the awareness between the EU institutions and our ecosystem.
The third thing is that there is a lot of funding that is currently available and there is little awareness of it.
There was the open science cloud, which has one billion of EU funding and only one person in our group was aware of it.
So there is also an information gap there that we as an ecosystem and the EU institutions can work on.
There is the issue of being first mover.
So in some of these pieces of legislation, the EU is the first to regulate in a big way the way software is distributed.
And so we have to keep in mind that when we do this, it may be copied by other parts of the world.
And so on one hand, it's useful to do it well for our own people.
It's useful to provide a good example.
And we should probably also try and work with other parts of the world to ensure that other parts of the world don't bring in similar topics into legislation and completely different requirements.
And then we have a different set of requirements in every different region of the world and developers will have a big headache.
FOSS awareness within the EU institutions is a big topic.
Basically the more people are aware of what FOSS is and how it is funded and how it's developed, the better we would be treated as FOSS.
So we need to increase awareness of who develops FOSS and increase involvement.
And the last thing is international coordination, working more with the UN, WTO and ITU.
I've got two minutes left and I said to Benjamin that I'd give him the last two minutes to give his impressions of what he heard in general.
So if you would like to.
Thanks a lot.
Yeah, so first impression, everyone wants money.
I'm not sure we will have all the money that you want.
We'll make an effort to support the community through calls, of course.
Yes, I think I've noticed that a lot of the hopes that you have are actually the same hopes that we have, right?
So you are hoping that the manufacturers will contribute more back.
That's also our hope.
I think the CRA is doing a lot in that direction and I think it can be a game changer.
And yeah, I mean, you are also hoping that the community will step up and also provide solutions such as templates and so forth.
And I mean, that's of course also our hope.
I mean, the CRA cannot succeed without you.
I mean, it cannot be just the commission doing all the work.
We also need you.
So we are really hoping that especially the more those players that are a bit better equipped in the community that they will help draft.
I don't know, cybersecurity policies that then other smaller stewards can maybe copy paste and take over or that you will also maybe start projects for tooling to help companies or open source developers test their products,
ensure that they are secure.
So we also really count on you.
That's also one of my messages for today.
Thank you.
And thank you for all the participation.
I will hand back now to Martin.
Thank you for everyone who wrote down their hope, fear or solution.
Thank you to the people from the commission that were willing to put up with our chaos, trying to run a workshop in a venue intended for call.
And thank you in particular to Toby who made all of this work.