WEBVTT

00:00.000 --> 00:14.760
So don't go anyway. So this is the boundary between the panel and the fishbowl. So the

00:14.760 --> 00:20.240
fishbowl session is like a panel, but it's a panel that you can be on. So if you would

00:20.240 --> 00:25.120
like to join the conversation, if you would like to come down and stand outside this

00:25.120 --> 00:30.720
box, and somebody who is inside this box will then leave it and let you into the box

00:30.720 --> 00:36.160
so that you can participate in the conversation. We're not, we're doing this in, because

00:36.160 --> 00:42.000
none of you know how to ask a question for goodness sake. This is instead of questions.

00:42.000 --> 00:48.000
So you get the opportunity to come down here and give your short talk and possibly to ask

00:48.000 --> 00:53.680
you a question. So no need to put it in the form of a question. So what I'm going to do now

00:53.680 --> 00:58.320
is I'm going to carry on the conversation, and then if you do want to participate, you don't

00:58.320 --> 01:03.360
have to raise a hand, you just have to politely form a line to come into the box down in this

01:03.360 --> 01:09.120
area by the door. Okay, and we'll do that until either it gets out of control or we run out of time.

01:09.120 --> 01:37.680
There we go. So, so there's something I want to say which is that

01:39.760 --> 01:51.760
Yeah, so, so I am, as through my consulting work, I am the technical lead of the opening

01:51.760 --> 01:58.160
regulatory compliance working group at Eclipse, and we have all the ways on a direct liaison

01:58.160 --> 02:04.240
with sense and I like, and I think what I want to say which I think is, you know, good news

02:04.240 --> 02:09.440
is that everyone in the different organizations, whether it's the commission or a sense of

02:09.440 --> 02:15.600
like or a self, are really well aware of the friction and how unpleasant it is, right? And

02:15.600 --> 02:22.080
our own trying to find wiggle room to make this work, right? So, you know, there's real positive

02:22.080 --> 02:26.800
and good intention to make this happen, and I think that's really important to take in mind.

02:26.800 --> 02:33.200
And there's a structure and a legal process that we have to work with. So, you know, I think

02:33.200 --> 02:37.600
that's a really positive note. And then the second completely unrelated thing and I want to

02:37.600 --> 02:43.120
quickly say, which, you know, I think one of the comments that, you know, all of you made about

02:43.120 --> 02:48.800
like meetings and all of that is, one of the things that open source, I believe, can bring to

02:49.840 --> 02:56.960
those organizations in the future is versioning and like building standards, the way we build

02:56.960 --> 03:02.320
open source software. This is something I pushed a long time ago at W3C, and it's like

03:02.320 --> 03:08.000
incredible moving from like sharing docs through like actually having poor requests on on

03:08.000 --> 03:16.800
on GitHub, whatever your flavor of versioning system is. And it makes, it accelerates things

03:16.800 --> 03:21.840
very much and it makes it really easier to have a broader set of stakeholders. It's like there

03:21.840 --> 03:27.440
are only benefits to this, right? And the tooling now that we have makes it actually quite accessible

03:27.440 --> 03:31.920
even to non-technical people. So, I think like having some, you know, pushing for something like

03:31.920 --> 03:36.160
that would be really, really great. And I'm done with my soapbox. And now I'll leave the

03:36.160 --> 03:39.920
audience about how we do it. Just so you know what it looks like now, we have these documents.

03:39.920 --> 03:46.080
Everyone knows this. We have these documents, standard version 1, final 2, comments SRPDF,

03:46.080 --> 03:54.160
version 2x.xml kind of things with comments highlighted in five different colors or in this

03:54.160 --> 04:01.520
is how we work. So I would very much appreciate like a model model like that, but yeah, this is one of

04:01.520 --> 04:05.440
the technical issues we have and then also the people in there and they are probably all very

04:05.440 --> 04:11.520
nice. I've met most of them, but you can see that most of them are used to an older way of

04:11.520 --> 04:17.120
working like they don't like sharing things often. Like we don't want input from the outside

04:17.120 --> 04:26.240
and that's I think needs to change. I'm not sure I do not have a lot to say anymore.

04:27.120 --> 04:39.680
Maybe only like, so the, for me it's really a mind-boggling process. Because it is still

04:39.680 --> 04:44.000
not assured that it is something that you can actually use practically. And I'm like very

04:44.000 --> 04:48.560
much focused on stuff that is like guidance, perspectives and so on that people can actually do.

04:49.200 --> 04:55.920
And what kind of process me with monetization stuff is that it has that the applicability

04:56.560 --> 05:00.640
is something that is like, that's very high level. So people are there and say, okay,

05:00.640 --> 05:06.320
now I know that you know, but, but how do I actually do that? Yes, that is a thing where open like

05:06.320 --> 05:10.960
this is where open source actually shines much more than actually in the process to describe that

05:10.960 --> 05:16.480
high level. Also because it is very annoying that it's like in terms of there is something that

05:16.560 --> 05:25.840
developed over a long time, you know, in, like also in the software space, but due to that

05:25.840 --> 05:31.360
disconnection between how you think about safety standardization and how you think about security

05:31.360 --> 05:36.320
standardization. I believe this is where the friction actually is. It has nothing so much to do with

05:36.320 --> 05:41.040
the other things. It's really like also why you actually standardize that. Yeah, so.

05:41.920 --> 05:46.960
Yeah, actually, I think that's a super interesting topic in itself. I'll take one more minute to

05:46.960 --> 05:52.640
to comment on this. On the document sharing, I believe that now in Senna Lake, they were already

05:52.640 --> 05:58.240
experimenting with this open document system. Okay, it's starting, guys. I mean, we have to give it

05:58.240 --> 06:04.400
also a bit of time to evolve and it's evolving. And then on this really interesting point of,

06:04.400 --> 06:08.320
first, on the point of having practical frameworks, I mean, that's practical frameworks are great.

06:09.200 --> 06:14.640
But the scope of the cyber resilience act is so broad. It covers everything from micro-electronics

06:14.640 --> 06:21.680
to industrial machinery to stuff that is pure and simply just software. And so, because of this,

06:21.680 --> 06:28.240
we really need to find also an abstract language that we can refer to so that there can be ways of

06:28.240 --> 06:32.240
communicating again across the supply chain. This is going to be thinking innovation and something

06:32.240 --> 06:37.120
that is still needed and something that will take some time to figure out what's the right level

06:37.120 --> 06:42.400
of abstraction which to talk. And that's going to be important to find also for regulatory

06:42.400 --> 06:46.880
purposes because precisely also to address the point initially raised, that these standards need

06:46.880 --> 06:51.840
to be product agnostic. So again, we need to be able to talk about things in a slightly abstract way

06:51.840 --> 06:55.920
to avoid falling into the trap of standard essential patterns, things like that. So it is also

06:55.920 --> 07:00.320
kind of an intellectual exercise of just sort of how can we talk about this in a way that we can all

07:00.320 --> 07:05.200
agree. And that's very hard at the very horizontal level and that's why the current work has been

07:05.280 --> 07:10.320
so much a talk shop, but slowly we're going to get into very product specific standards and I think

07:10.320 --> 07:14.000
that those problems are going to sort of disappear because they're going to be about most specific

07:14.000 --> 07:19.040
use cases and the actual risks that we find and how to mitigate them. So and that's where I think

07:19.040 --> 07:23.040
that the legislation helps is to be able to also give an incentive to just discuss what are the

07:23.040 --> 07:27.040
common requirements that everybody needs to implement and then having a much specific discussion

07:27.040 --> 07:31.440
of how the implementation should actually look in context. And again, this is where the standard

07:31.600 --> 07:39.200
would help and this is where it gets closer, I hope, to a framework. I guess I'll give it a mic

07:39.200 --> 07:42.800
to someone else. Thank you very much. Thank you. Thank you. Thank you.

07:42.800 --> 07:46.800
Thank you. Thank you. So it would be good if anyone's to respond to Filipe, rather than start

07:46.800 --> 07:53.200
new topic, that would be good. And if there's no new topic, then it is no response and we'll start

07:53.200 --> 08:00.000
new topic. All right. Okay. Hi. I'm Svanteshu Wood. I'm working on ODIF. I'm one of the chairs

08:00.000 --> 08:05.680
on ODIF. I'm but also an editor of the sense standard. You're sent norm for European

08:05.680 --> 08:12.080
electronic invoices since 2019. And if you pay more for Dean, then you can share internally as

08:12.080 --> 08:19.760
well. Yes. So and there's a eurigulation that from 2012, 2025, that ever European standard

08:19.760 --> 08:24.800
have to be, I didn't see other slides, but have to be in European norm. So they have some kind of

08:24.880 --> 08:34.720
monopoly or cartel because they're different sectors. And I find it, okay. I mean, yeah,

08:34.720 --> 08:39.200
any, but the drafts as well, I can share the drafts, but I don't go there's, yeah, I'll show you

08:39.200 --> 08:43.440
this page later. But what I mean is, it's a fine business model that you have a monopoly

08:43.440 --> 08:50.320
by law, and you can do the price tech on it. And all the others, and I pay for them, Dean,

08:50.400 --> 08:55.680
to work with them, and they sell it. And I had to be an editor because there were

08:55.680 --> 09:00.160
former pages of PDF and I wanted to extract it by automation this table. And so I wanted

09:00.160 --> 09:05.920
to get my hands on this ODIT. It was a dark ex, but then I transformed the ODIT and transformed

09:05.920 --> 09:10.000
it there, but it's directed the data. And now come to the second thing, I think software,

09:10.000 --> 09:15.360
and they are still the waterfall model from the 18th years. So it's software is very fast now,

09:15.360 --> 09:20.160
like two weeks, there's a release. And the blueprint, the standard, is like five years and

09:20.160 --> 09:25.920
send. So we have to be more generalable. So we have to be more structured data. And instead

09:25.920 --> 09:31.120
extract and data, we generate the machine-readable form and the human-readable form as well

09:31.120 --> 09:37.440
from that. And I'm, I put this saying goodbye on Git, sorry, not GitLab, I've made a mistake.

09:37.440 --> 09:44.560
But so there was a spreadsheet of 50 tasks, and I generated by 250 GitHubs by this.

09:44.640 --> 09:49.920
You don't have this weekly meeting or every meeting has a PDF. It's horrible. This process

09:49.920 --> 09:54.720
is horrible. You have five clicks to get it. But then we have everything in issue with everything.

09:54.720 --> 10:00.400
I just suggest to do it the same way. Maybe GitLab, not GitHub, sorry. Yes. But okay. So

10:01.680 --> 10:07.200
I wish that is a different business model. I need their experts. I think open source need money,

10:07.200 --> 10:13.760
repeated of money. So somebody can take off. I buy my bread for not for free. So I need money

10:13.760 --> 10:18.080
as an open source or open standard developer. And even I love to have expert. They're very

10:18.080 --> 10:25.120
good experts who moderate it, at least the Dean group meeting, C.S. So I think and for like a

10:25.120 --> 10:31.920
working invoices, when I met there in Iceland, there were 25 consultant. There was not a single

10:31.920 --> 10:39.200
who like working invoices. But so I think if you use it, not to start with a participating,

10:39.280 --> 10:43.520
that you should pay for it. So maybe the test should be at the standard as well.

10:43.520 --> 10:45.840
But I think it's talked too much. Thank you.

10:45.840 --> 10:49.200
I would be interested in any response to that.

10:49.200 --> 10:52.320
I would remain careful. I already don't have to be here for the paper.

10:52.320 --> 10:56.320
There's a lot of points. I'm sorry. I'm trying to...

10:56.320 --> 11:02.160
Sorry. Do you keep in? If any one wants to respond to the question,

11:02.160 --> 11:04.560
I'd rather have come to say can be read amongst the papers.

11:05.360 --> 11:12.880
Okay. So what I understood is that the temptations of creating market entry barriers and

11:12.880 --> 11:20.240
forming a cartel and having this business model is very tempting. What I would say on the

11:20.240 --> 11:24.720
end of the inwards because the Dean sends you even if you want to go there that everything you

11:24.720 --> 11:30.160
sent there is now their property. So that's in there so they steal all your ideas,

11:30.400 --> 11:35.280
which is very bad even if you adjust the guest. And that's that's crazy. I managed to get around it.

11:35.280 --> 11:41.200
But on the other side, the problem is it slows down everything. And I'm a product manager

11:42.000 --> 11:49.040
and for for for Susan, right? And we have interest in being fast. Being fast on the market.

11:49.040 --> 11:57.040
And I have some hope that this speed argument might outrule these other kinds of tendency to have

11:57.120 --> 12:03.280
market entry barriers because these market entry barriers will not so the the period where there

12:03.280 --> 12:10.160
are worth something is going down. And this might be a very good argument that this investments there

12:10.160 --> 12:16.560
might be blinded or going in the wrong direction. And so open stunners are much faster. You can

12:16.560 --> 12:23.920
make much faster money with it. And so this could be an argument to say well step out of this cartel

12:24.000 --> 12:30.000
thinking step in through their own regulation. Just quick quick answer and then step out.

12:30.000 --> 12:34.240
So there's a regulation, the usual antipathy solution pattern against it like I'm a oasis.

12:35.040 --> 12:40.480
We make in freestand it oasis and then we go by fast path to each isol. So you still and there's

12:40.480 --> 12:49.040
no difference. So we've got the isol sign but still you can have open access it. That's the same thing.

12:49.040 --> 12:53.840
Whenever I want to do something I first release it openly. And then I throw the sense and

12:53.840 --> 12:58.480
see us the link and we can put it in the standard. So that's the way you have to circumvent it.

12:58.480 --> 13:03.200
Just to just and the other thing is I have to validate invoices just another thing. It's just to

13:03.200 --> 13:09.600
see the relation. And to be compliant I have to check every 27 VAT member states in German VAT laws

13:09.600 --> 13:15.040
a hundred of page of PDF. And it have to be structured as well. So structure structure structure

13:15.120 --> 13:20.880
please yes. So I'll leave the bubble. I think the most important thing is please argue with

13:20.880 --> 13:29.200
speech because open source is speed and speed is money. So hello before everybody leaves I want to

13:29.200 --> 13:35.440
basically raise a call to action. We've heard a lot today about we have like 12 meetings a week

13:35.440 --> 13:41.600
and hundreds pages of PDF documents and that's ridiculously old system. There was recently a

13:41.600 --> 13:46.240
consultation should this system be changed. Should the European standardization organization be

13:46.240 --> 13:51.600
revisited? Naturally we have submitted that we think it is out of shape and needs to be fixed.

13:51.600 --> 13:56.880
Other organizations especially those deeply entrenched in the current system have submitted

13:56.880 --> 14:03.280
opinions that they said this system is perfectly fit for purpose. So what I'm saying is we should

14:03.280 --> 14:08.720
not take for granted that this will automatically improve. We should keep the pressure up and say

14:08.800 --> 14:13.680
better collaboration methods exist today. They need to be deployed also in the European

14:13.680 --> 14:17.440
Sennetization organization. Sennetization organization is actually regulation for that.

14:17.440 --> 14:23.360
1025. The currently the commission is about to decide whether or not this will be reopened

14:23.360 --> 14:27.920
and then we written. And of course we're pushing for it should be reopened and we written.

14:27.920 --> 14:32.560
And you should all participate in that pressure to make sure that this system actually changes for

14:32.560 --> 14:34.960
the better. Thank you. Thank you.

14:39.200 --> 14:42.000
Thank you for talking about this back in the box. There's no one's put you out yet.

14:42.000 --> 14:52.320
Okay. As a participant in several standardization groups but not on CRI. I know the

14:52.320 --> 14:59.120
feeling of being pressured in the waiting time. I'm just calling your attention that the ICT

14:59.200 --> 15:10.000
Observatory for standardization. The standard ICT.eu has open calls for grants for people that are

15:10.000 --> 15:18.480
for European nationals that are participating in standard bodies. And so they should use

15:18.480 --> 15:25.520
you should apply and use it. I also would like that anyone that's involved in a standard

15:26.240 --> 15:34.800
participant just makes a call to add to bring in more volunteers into helping them. And at the same

15:34.800 --> 15:42.800
time I would ask for people that on the open source worlds that are participating in these standards

15:42.800 --> 15:50.240
efforts to join in a forum or something so that we can have a common strategies to cope with all of

15:50.880 --> 15:57.440
this in more or less common way even if you are subjects of standardizations are different.

15:58.400 --> 16:07.920
So this might help us in increasing the pool of open source activists participating in open

16:07.920 --> 16:15.040
source but also in having common ways to address the different standard bodies.

16:16.000 --> 16:23.760
It's a quick audience poll because you're all sleeping I can see you. How many people here

16:23.760 --> 16:35.120
participate in activities of the standards body? Either OACS, W3C, Sen, and more than a third of the

16:35.120 --> 16:40.640
audience. How many people here would do so if only they could work at how they held to do it?

16:41.520 --> 16:49.520
Okay so I would love you all as you could easily find my contact details because I'm on the

16:49.520 --> 16:55.760
devrim. I would love you all to contact me so that I know who you are and can talk to you and if you

16:55.760 --> 17:02.320
need to get access I can help you because really all we are lacking here is enough person power.

17:04.880 --> 17:10.080
And maybe to say that the European Commission is trying to give funds to people who want to

17:10.080 --> 17:15.920
step up as individual experts to participate in these kinds of standardization work and the

17:15.920 --> 17:21.920
standardization bodies. So the first two links up there on the board, cyberstand.du and the standi

17:21.920 --> 17:28.960
city.du thanks for mentioning it. Those are such projects that basically allow people to submit

17:28.960 --> 17:34.560
the project for participation in standardization work and get individual grants.

17:35.120 --> 17:44.960
Now I am a I was a reviewer on standi city.du and it is not the easiest process to submit an

17:44.960 --> 17:49.680
application for a grant. So if you're doing it for the first time and you would like some help

17:50.240 --> 17:56.400
then ask and I will be very pleased to help review your application so that it's more likely to succeed.

17:57.280 --> 18:09.440
I am going to start. So I'm on the other end of the spectrum so I'm part of an open source

18:09.440 --> 18:16.880
project that's international. It's not just you, it's the United States, it's in East Asia,

18:16.880 --> 18:26.080
all over the world. I have some concern when I hear standards and regulation together because

18:26.080 --> 18:33.520
that's just going to make our life much, much more difficult. So I just wanted to open that up as

18:33.520 --> 18:41.120
a question really. How would you address that? Yeah. How back in the book? Thanks. I mean the reason

18:41.120 --> 18:49.200
I like standards is because they represent a kind of bottom-up organic form of self-regulation

18:49.680 --> 18:56.240
where the expertise of people on the ground is codified and can be dynamically adapted to the

18:56.240 --> 19:02.480
needs of an ecosystem and so therefore I think it's kind of true by definition that when regulation

19:02.480 --> 19:07.760
gets involved it's a little bit harder, everything becomes a little bit heavier. I think that's

19:07.760 --> 19:12.800
just true but I also think that regulation generally can play a positive role in sort of the

19:12.800 --> 19:17.920
organization of our modern societies that are super complex. So I think it has to be a kind of

19:17.920 --> 19:23.840
given take and I think certainly for the cyber resilience act I don't know if you're familiar with

19:23.840 --> 19:30.640
that part of the work but I think it was overdue that products need to be secure and so this fast

19:30.640 --> 19:35.360
tracking of a discussion on we suddenly we need harmonized standards for this that's only possible

19:35.360 --> 19:40.480
because there were so many existing frameworks before on the market. In fact the market had

19:40.480 --> 19:46.400
the fragmentation of security frameworks where basically each sector had its own approach to security

19:46.400 --> 19:50.960
and this is also inefficient and not necessarily reasonable and also a bit kind of security

19:50.960 --> 19:56.800
by obscurity or even insecurity by obscurity and so it's a different form of of obscurity and

19:56.800 --> 20:02.080
and prevent and certainly preventing of security as a as a name that people should be entitled to

20:02.800 --> 20:08.960
is not really met by a fragmented landscape of frameworks that are not mutually compatible.

20:08.960 --> 20:14.800
So I think that the CRA can as a form of regulation can actually come and give a sort of incentive

20:15.360 --> 20:20.640
to have a more a broader discussion, a coherent discussion of what does really security mean

20:20.640 --> 20:26.320
at different security levels. Otherwise we kind of end going only for the worst case scenarios

20:26.320 --> 20:31.040
that need to be treated because otherwise it would be a fiasco but we don't really cover

20:31.040 --> 20:36.400
sort of medium and low risk consumer risks for instance in a very systematic way.

20:36.400 --> 20:41.760
So it's basically I see it as the need for a dialogue and that legislation should certainly

20:41.920 --> 20:47.280
learn from standardization but at the same time legislation can kind of insert more high-level objectives

20:47.280 --> 20:52.000
that may be standardization was not addressing and therefore kind of give a stimulus for those

20:52.000 --> 21:01.760
high-level objectives to also be met. Yeah, I wrote it. Yeah, so thank you for this question.

21:01.760 --> 21:08.320
I think this is a very important question. I think one of the undersung value of open source

21:08.400 --> 21:13.920
is the fact that open source has standardized licenses that every lawyer in the world kind of

21:13.920 --> 21:22.160
know what it means, right? I mean, it's a big overstatement but like there's that they yeah yeah yeah

21:23.200 --> 21:29.360
and that's incredibly valuable because it means that you know this whole trove of a software

21:29.360 --> 21:35.280
that is part of the common goods is really easy for anyone in the world to just include and

21:35.360 --> 21:39.600
have a good sense of how they're going to be able to use it not only in their own country but

21:39.600 --> 21:45.520
as they export their products elsewhere, right? Of course, if we now have compliance rules and

21:45.520 --> 21:51.680
different countries that are entirely don't match, right? And if you build something in the U.S.

21:51.680 --> 21:57.200
leveraging a piece of open source that is compliant to U.S. legislation but then when you want

21:57.200 --> 22:02.000
to move it to Europe no longer compliant, that's going to be an awful nightmare and we're going to

22:02.000 --> 22:10.000
completely lose the value of this whole open source all of the of all open source really.

22:10.800 --> 22:15.280
And so I think this is why we really need to start talking about a harmonized compliance

22:15.680 --> 22:22.400
and essentially leverage standardization as a way to get compliance across the different jurisdictions.

22:22.960 --> 22:29.680
I think this is really, really critical and as we you know as as we address the CRA we have to

22:29.760 --> 22:36.320
think about upcoming legislation elsewhere, right? And this by the way is why our interest group at

22:36.320 --> 22:42.640
ORC is not called the CRA interest group but the cyber resilience interest group because we

22:42.640 --> 22:49.440
acknowledge there's going to be more legislation of the same nature and the artifacts that we produce

22:49.440 --> 22:55.680
we want it to help all of those different, all of those different compliance requirements and

22:55.760 --> 23:01.840
all of those different jurisdictions. So comment, just rain 10 minutes and I'd like one more topic

23:01.840 --> 23:09.040
of those standards. Yeah, so I do not agree with what you said. There is all about that we have to

23:09.040 --> 23:15.360
have like all like you know that it is too fragmented and so on. So I'm a software person so that

23:15.360 --> 23:19.840
means like my understanding of what the reality of software is is that you have to have different standards

23:19.840 --> 23:23.200
because you have different industries you have different in all like especially when safety

23:24.160 --> 23:29.360
something else than a pure security standard. So that means like there is a need for a variety

23:29.360 --> 23:37.680
of things that work that's a one part. The other part is every like you know of course like

23:37.680 --> 23:43.600
if you believe in democracy then you need to make a sure that you know like that other countries

23:43.600 --> 23:50.000
can also actually choose whatever they choose as their main objective for security and safety. So

23:50.080 --> 23:55.440
but what's what's the power of open source is to be able and anticipated and also like what

23:55.440 --> 24:02.000
we do a lot of like mapping like the hell out of like legislation and how what tools can

24:02.000 --> 24:09.680
head to supply you know like with what head. So there will not be the ultimate you know like

24:10.480 --> 24:15.600
horizontal standard that is there and you know like if you follow with you like you know you

24:15.920 --> 24:22.080
like this is not going to work. So I believe there needs to be also that realism that you know

24:22.080 --> 24:26.720
like the acceptance that in that sector it is like this and then you know like so and this is like

24:27.520 --> 24:32.080
you know like more the framing and more in my point of view but also the strength of open sources.

24:33.360 --> 24:38.240
It's just one hand side like to you've to be exactly what you said as a product manager I'd like

24:38.240 --> 24:43.200
to advocate a little bit for the end user and customer and one of that is if you regulate him

24:43.200 --> 24:48.560
you need a definition of done. So you need something that tells when he did his job

24:48.560 --> 24:53.360
especially if he's liable and this can only be done in a fair way it be a standards.

24:55.760 --> 25:02.160
Thanks very much sorry just sorry a quick idea that I also wanted to share so first of all

25:02.960 --> 25:08.400
I made before this this pyramid on the screen I don't know if people in the video if it's

25:08.480 --> 25:13.840
still visible but for the cyber resilient act we certainly it's not enough to have horizontal

25:13.840 --> 25:18.240
standards things need to get specific and that's where you can have the dynamic of understanding

25:18.240 --> 25:22.560
the context and understanding sort of what are the risks and what are the appropriate mitigations

25:22.560 --> 25:27.200
so I certainly agree that the horizontal discussion is just the beginning of this conversation

25:27.200 --> 25:32.160
and is just to try and give a kind of coherent umbrella framework for it it's not meant to be a

25:32.160 --> 25:37.840
single standard for all so definitely importance of context is key and also the difference to

25:37.840 --> 25:43.280
safety I think is really interesting and this is where I wanted to plug in because maybe people

25:43.280 --> 25:48.560
here in the room can actually participate in in this broader discussion so I've understood that

25:48.560 --> 25:54.000
some concepts that we're trying to use from a legal point of view were developed to deal with problems

25:54.000 --> 25:59.440
of safety and I realized that safety even though it's very complex and you have to be very careful

25:59.440 --> 26:04.960
about safety you know safety is about something that affects human bodies and human bodies have been

26:04.960 --> 26:10.240
roughly the same for the last three million years since the sort of homo erectus came about but

26:10.240 --> 26:15.840
computers have evolved a lot in the last three million years especially in the last 50 years right

26:15.840 --> 26:23.200
so so it's very difficult it's it's a more dynamic domain and so what that means is that we need

26:23.200 --> 26:29.440
new social structures new social frameworks for how to think about the dynamic landscape how to

26:29.440 --> 26:35.840
think about evolving machines and how to think about different use cases when you have an industrial

26:35.840 --> 26:41.600
machine it's usually one big machine for one big purpose and it's always in a factory so one

26:41.600 --> 26:47.520
machine is one use case but when you have a computer one computer can be put anywhere and can be used

26:47.520 --> 26:52.480
for anything so you have infinite context infinite use cases it's a completely different approach

26:52.480 --> 26:57.840
so what this means is we need to start thinking how can this be proportionate how can we think about

26:57.840 --> 27:03.360
a computer but not have a single statement on that computer we need to have different statements

27:03.360 --> 27:08.080
for the computer depending on where that computer is what the computer is doing and that again comes

27:08.080 --> 27:12.880
down to this idea not horizontal standard no we need product specific standards we need standards

27:12.880 --> 27:18.560
for specific use cases so that it can take context into account and this is where everybody comes in

27:18.640 --> 27:23.040
what are the contexts what are the use cases what is the correct expectations for security

27:23.040 --> 27:28.240
for a given use case for a given set of users this is a key societal discussion that needs to

27:28.240 --> 27:33.040
happen and we'll start to happen now that the CRA is a low so it's not going to be right from the

27:33.040 --> 27:36.720
beginning it's not going to be closed from the beginning either it needs to start happening and

27:36.720 --> 27:42.640
everybody can be a part of that discussion when they make explicit what are our security expectations

27:42.640 --> 27:54.320
thanks no stopping go for it well this is something I've been thinking about for quite some time

27:54.320 --> 28:04.320
and I remember when when a patent was issued for I believe it was Amazon and it patented the idea

28:04.320 --> 28:14.080
that a user of a computer could click a button they didn't define button by the way buttons are

28:14.080 --> 28:21.680
all over the button you could click a button and buy a product and they patented this idea now that

28:21.680 --> 28:29.280
was to my mind one of the stupidest patents ever issued and it brought to mind the fact that

28:30.160 --> 28:37.440
patents are good for lawyers they're bad for everybody else except people who want to make money on

28:37.440 --> 28:48.800
some stupid idea I would just have one request if software developers and open source in particular

28:48.800 --> 28:57.280
software developers are going to be relieved of the burden of proving that they are in compliance

28:57.600 --> 29:06.640
simply by following a standard I would beg you to disallow any patenting of any standard

29:06.640 --> 29:13.680
that we are supposed to adhere to and standard should be developed in the open any idea that they

29:13.680 --> 29:27.040
should be patented is I'll use the word again stupid that's it yeah just say thank you for saying this

29:27.040 --> 29:31.360
and I the reason why I'm here is to make sure that as many people as possible can go and

29:31.360 --> 29:37.760
analyze the standards to make sure that that happens okay we need people who know what's happening

29:37.760 --> 29:44.480
inside those documents to identify if there is a hidden patent inside so that we can meet it out

29:44.480 --> 29:51.200
no that's why we're here is not patentable not patent yeah I don't have the power to do that but I can

29:52.160 --> 29:55.920
there be a good law that would be a good law but that's a different conversation it's not the

29:55.920 --> 30:09.120
CRA standards but I agree with you it's a good law I got some hope for you sorry the original idea

30:09.120 --> 30:16.640
behind a patent was that the secrecy which was before was put to an end so that people could

30:16.720 --> 30:22.560
open the way or their technology to the public so that others could learn in exchange so

30:22.560 --> 30:29.120
it was a trade in exchange for a monopoly for a couple of times right but the problem is 25 years

30:29.120 --> 30:38.000
is a lot and currently 25 years is too much to monetize on a product or if standard in IT so

30:38.000 --> 30:45.200
if we just keep a look on connectors and how fast they are evolving so it is not the guarantee

30:45.200 --> 30:51.520
for development and for money on for anything else but open source is because you're faster

30:51.520 --> 30:56.720
and you're setting sort of standards and compatibility while you're openly producing your

30:56.720 --> 31:03.280
products while others could adapt to it and I think that has the potential and shows already the

31:03.280 --> 31:12.000
potential to overrule this closeness of patents and borders in favor of a faster moving and more

31:12.080 --> 31:19.280
prosper economy thank you my hope is just that we can use the excuse of European legislation

31:19.280 --> 31:25.840
to make that world come about thanks thank you thank you okay so the time has come