CRA is effectively a "law", was Re: This does not have to be a GR

[Ilu <ilulu@gmx.net>]

Since this error comes up again and again on this list:

The CRA is a "Regulation" (look at the long title: "REGULATION OF THE
EUROPEAN PARLIAMENT AND OF THE COUNCIL on horizontal cybersecurity
requirements for products with digital elements and amending Regulation
(EU) 2019/1020"), in effect a law which will be directly in force in all
EU member states.

The PLD is going to be a "Directive" which needs to be adapted by the
member states. Member states can change things within certain limits.
Those limits are not very wide. They cannot change the main content of
the directive.

Am 22.11.23 um 09:35 schrieb Sébastien Villemot:
> Le mercredi 22 novembre 2023 à 09:05 +0100, Thomas Goirand a écrit :
> > Excuse me to insist with vocabulary, but since you've use the word "law"
> > 6 times above: the EU isn't a state or a nation, and doesn't make laws.
>
> Just a minor note: the EU actually issues laws, they’re called
> “regulation” in the EU jargon¹. But indeed a “directive” (as in the CRA
> case) is something different, and as you say opens up the possibility
> of a fight at the national level.
>
> > We're talking about "directives", that eventually will be implemented as
> > laws in each member state. This is a huge difference that make it
> > possible to fight the CRA at multiple levels. This also mean that the
> > CRA wording isn't as important as the wording of its implementation as a
> > law in each member state.
> >
> > Also, once the directive is passed, it's still theoretically possible to
> > fight its wording in each state. Seen the other way around: it's
> > possible that the implementation as a law in each country is worse than
> > then directive itself, we must pay attention to it (it's probably even
> > more difficult for us this way, as there will be 27 implementations to
> > take care of).
>
> ¹ https://en.wikipedia.org/wiki/Regulation_(European_Union)