Scope & Classification

Part 1 of the PDE2000 CRA journey

Last week, we tried and failed to launch the PDE2000: the gadget you never knew you needed!

At the last minute, our launch had to be canceled due to a new EU law: the Cyber Resilience Act (CRA).

The PDE2000: a Raspberry Pi wired to a breadboard with red, yellow, and green LEDs

At first, we thought our lawyers had just invented something (too much ChatGPT, you know…), but turns out this law really exists! Our new plan is to make sure we can comply with this law as quickly as possible. How hard can it be?

Step 1: Finding out if we're really in scope

The CRA defines a "product with digital elements" as a software or hardware product and its "remote data processing solutions", including components placed on the market separately.

Hmm, looks like we're really on the hook for this…

Schematic of PDE2000 components: Raspberry Pi, control software, web server portal, SQLite database, update server, LEDs, and GPIO pins

Walking through the components:

  • Pi hardware + control software: yes, clearly in scope. Hardware product with digital elements.
  • The portal server: The question to ask: Is the portal a "remote data processing solution" (RDPS) that's necessary for the product to function? Without it, the LEDs cannot be controlled remotely. That's the product's main feature. So yes, the portal qualifies as an RDPS and is in scope as part of the product, not a separate component.
  • The SQLite database: part of the portal server, in scope as part of the RDPS.
  • The update server: we host this ourselves (on the same server as the portal). We control it and it delivers updates to the PDE2000, so it is in scope as part of the product's update mechanism.
  • The LEDs: this is passive hardware, no digital elements themselves. Not in scope as separate items, but they're part of the product as a whole.

Step 2: Classification (or, how much do we really need to do?)

Keeping things simple, the CRA classifies products into three (or four, depending on how you count. Guess it's not that simple…) categories:

Default

Self-assessment

Important I

Class I

Important II

Class II

Critical

 

The PDE2000 doesn't appear in the Important or Critical lists, because it's a generic networked device, not a password manager, identity management system, OS, router/firewall, microcontroller for industrial use, etc.

During our launch event, there was a heated discussion around the classification of the PDE2000. Some people made the argument that "because the LEDs can be programmed to signal the start of the weekend, this product is critically important".

While we agree with this business reasoning, turns out CRA doesn't really work like that. Important or Critical products are listed in the annexes and the PDE2000 does not fall in any of those listed categories.

So, the PDE2000 falls under the default category. This also implies we'll be able to self-assess our compliance with CRA.

All this looks like great progress to us, we'll be complying with CRA in no time!

What do you think? Does this classification sound right?

Next up

Next installment will be around the PDE2000 data flow diagram, to use in our risk assessment.

← Back to PDE2000