EU Cyber Resilience Act - scope hinges on legal definitions; Bjorn to engage lawyers; aim to publish our own definitions
Situation
On the CRA thread (raised by Leigh Hennig re a Sept 11 deadline for RESF/Rocky/CIQ), Peter directed that the entire scope hinges on two definitions - vulnerability and actively exploited - and delegated Bjorn to engage lawyers to weigh in. Strategic aim: ideally CIQ/RESF publishes its own definitions, reframing CRA compliance as living up to our stated market promises rather than being exposed to outside interpretation. Until legal responds, nothing to do.
Reasoning
Do not act on an undefined obligation: the compliance burden is entirely a function of how two terms are defined, so defining them (legally, and ideally on our own terms) is the whole game. Controlling the frame converts an external regulatory threat into a self-set market promise CIQ already intends to meet. Sequence discipline: no engineering scramble until legal scopes it - avoids burning the team on a phantom mandate.
Additional Context
Confirmed accurate by Peter. Spans a group DM (Greg/Bjorn/Brady/Leigh) and #distinguished-leaders where Peter reassured a sick Greg it is handled. Sept 11 deadline.
Observed Evidence
Direct Slack quotes across group DM and #distinguished-leaders; explicit delegation to Bjorn to get lawyers.
Confidence Breakdown
Reasoning Depth Analysis
People Involved
Source
reflection
AI Confidence
74%
Related Context
slack
I think the entire scope of this hangs on the two questions I asked. Bjorn can we get lawyers to weigh in?... hopefully we get to publish our own definitions... Otherwise it could be pretty brutal if vulnerability is left to interpretation. ... We are on it Greg. Nothing to do till that happens.
Outcome
No outcome recorded yet.
Decision ID: 547d2a03-3650-4c23-b85e-1d1b6ce98333