EU Cyber Resilience Act - scope hinges on legal definitions; Bjorn to engage lawyers; aim to publish our own definitions

June 18, 2026 at 8:52 PMstrategymedium

Situation

On the CRA thread (raised by Leigh Hennig re a Sept 11 deadline for RESF/Rocky/CIQ), Peter directed that the entire scope hinges on two definitions - vulnerability and actively exploited - and delegated Bjorn to engage lawyers to weigh in. Strategic aim: ideally CIQ/RESF publishes its own definitions, reframing CRA compliance as living up to our stated market promises rather than being exposed to outside interpretation. Until legal responds, nothing to do.

Reasoning

Do not act on an undefined obligation: the compliance burden is entirely a function of how two terms are defined, so defining them (legally, and ideally on our own terms) is the whole game. Controlling the frame converts an external regulatory threat into a self-set market promise CIQ already intends to meet. Sequence discipline: no engineering scramble until legal scopes it - avoids burning the team on a phantom mandate.

Additional Context

Confirmed accurate by Peter. Spans a group DM (Greg/Bjorn/Brady/Leigh) and #distinguished-leaders where Peter reassured a sick Greg it is handled. Sept 11 deadline.

Observed Evidence

Direct Slack quotes across group DM and #distinguished-leaders; explicit delegation to Bjorn to get lawyers.

Confidence Breakdown

30/35
Evidence
15/30
Pattern
17/20
Source
12/15
Corroboration

Reasoning Depth Analysis

Org Signal:Do not panic-engineer against a regulation until its scope is legally defined.
Who Affected:Bjorn (owns getting legal), Leigh (raised it), Greg (reassured), RESF/Rocky.
Precedent:Ambiguous regulatory mandates get scoped by legal plus our own published definitions before any eng work.
Consequences:Pretty brutal downside if vulnerability is left to outside interpretation - hence urgency on definitions.
Timing:Sept 11 deadline; get legal moving now, hold eng until scoped.

Source

reflection

AI Confidence

74%

Related Context

💬
Slack group DM + #distinguished-leaders (6/18)

slack

I think the entire scope of this hangs on the two questions I asked. Bjorn can we get lawyers to weigh in?... hopefully we get to publish our own definitions... Otherwise it could be pretty brutal if vulnerability is left to interpretation. ... We are on it Greg. Nothing to do till that happens.

Outcome

No outcome recorded yet.

Decision ID: 547d2a03-3650-4c23-b85e-1d1b6ce98333