EU product liability legislation and Win11 hardware requirements

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Philip

Incorrigible Inquisitor
Sep 28, 2020
22
3
UK
My immediate thought on listening to the discussion of the EU product liability legislation was that it would seem to outlaw Microsoft refusing to support Win11 on older PCs for no real technical reasons. If software vendors have 2 years in which to comply, I guess M$ wil get away with it - this time, at least. Unless the EU can look sharp-ish and find some way to slap them down on the grounds that they will be condemning vast numbers of perfectly viable PCs to the e-waste mountain.

On another forum (restarters.net) the owner of a small independant computer repair business is reporting the he is "seeing an increasing number of customers that are opting to not repair Windows 10 PCs because they don’t want to ‘risk’ running unsupported software. This includes non-OS fixes such as batteries and screens." He finds the Linux option an almost impossible sell for his largely non-technical clientelle.

- Philip
 
After having listened to some recent episodes touching on the software liability directive in the EU, I've been itching to tip Steve and listeners to read the Cyber Resilience Act which I've been following the past 3-4 years while in the making, and it was just released (an Act has to be implemented in full, unchanged, as law in all EU member states). Anyone who wants to put a “product with digital elements” in the EU market must ensure the requirements of the CRA are met. Conformity is demonstrated by affixing a CE mark to the product. That’s the exact same mark that is already used for other products with safety aspects: sunglasses, children’s toys, pressure vessels, radio equipment…and now products with digital elements.

The essential requirements of the CRA are listed in its Annex I. They can be summarized as follows:
  1. Incident prevention & design principles: Design principles and (regular) measures to develop secure products by design (the teeth-brushing of product development, so to speak).
  2. Incident readiness & resilience: Anything that helps to mitigate the effects if a vulnerability is found and exploited (could be regarded as a tire stack).
  3. Incident & Vulnerability handling: The process that ensures that a security incident is professionally addressed and quickly resolved (like a fire hose would do).
    The reporting obligations in case of exploited vulnerabilities (article 14) apply earlier than the rest of the requirements: Already from Sep 11, 2026.

Here's a short, simple, 5-minute summary of everything you need to know about the CRA: https://fluchsfriction.medium.com/cyber-resilience-act-in-5-minutes-018f43f69508

The deadlines for implementation have finally been set. Two dates are important for product manufacturers:
⏰ From September 11, 2026, they must report actively exploited vulnerabilities in their products (Art. 14) to national authorities and ENISA.
⏰ From December 11, 2027, all requirements of the CRA will apply, meaning that no “product with digital elements” may be put on the market in the EU without a CE mark.