 Well, big hand to Karen, that's a tough act to follow. I hope he didn't scare you too much. I'm the guy who comes here to tell you that eating your vegetables is actually good for you. And that is a difficult pitch. My name is Javier and I'm a Spanish civil servant. I am the co-leader of the technical team advising our permanent representatives in Brussels. I will first dedicate a few minutes to explain the Byzantine implications of how the legislative process is going. So we are under the Spanish presidency of the commission. That means that the permanent representatives of Spain have a function of secretariat, of owners broker. They represent the whole council. In this part of the legislative process, there are three key players. There is the council representing the member states, which has the representative legitimacy of their member states. There is the European Parliament, which has the democratic legitimacy of the votes of the people. And there is the European Commission, which has an advisory role and proposes the laws. The European Commission proposes a law and both the European Parliament and the council, the member states, draft different text proposals. They have different mandates. Then they both sit together and hammer out a common text which is then voted in the parliament. We are now in that process. That process consists of several readings, but the readings were a very cumbersome tool. So they invented the trilogues, which are a more flexible tool. But the trilogues weren't flexible enough so they invented the informal technical meetings. And those we have almost every day. So in the position, in the point we are now, we have the mandate of the council, the mandate of the European Parliament and the different proposals that come up that are confidential, although they are leaked sometimes. What Karen has explained to you right now is the product of a leak. I will refer to it because it's out there, but I cannot tell you what is going to be said today or what was said tomorrow. So, well, recital 10 of the CRA is the one that states whether you are inside the scope or you are outside of the scope. In the mandate of the correper, the commission of permanent representatives, the council means they had the exclusion of non-commercial entities. You have to not monetize at all. They speak about indications of commercial activity because there are some non-profits out there that are very lucrative, that sometimes they charge supplies, that sometimes they charge for tech support and they monetize in many creative ways. And they also take into account the circumstances of development of financing. The European Parliament also thought of other forms of monetization, such as recurring donations by commercial entities or indications like having a single entity or generating revenue, or the fact that all the contributors to a certain open source project just happen to work for the same company. And now, well, there we have some possible additions that are being put out there, taking into account the open source software, like, well, it's a unique nature of being collaborative and the role of the stewards that I will point to in the future. I want to make a stop here and insist the CRA has a reason for existing. It is very important. We are not in the 90s anymore. The computer at home which could have a virus is now connected to your wearables. It's connected to the wearables of others. It's connected therefore to the network of your employer. It's connected to the whole value chain of the employer. And each of these elements, each of these goods and services can be a vector for infection. And we live in a pandemic of infections, a pandemic of ransomware and malware. And it's creating a lot of problems for companies and for citizens. That's why the European Union has two big laws, one for goods and one for services. One is the NIS directive, the network and information system directive for services. And the other one is the Cyber Resilience Act for goods. As Kieran said, we had the red directive, the radio equipment directive, which ended up covering all the radio equipment, including Bluetooth, Wi-Fi, mobiles. In the end, it covered like half the world of IoT. Now we have included all the products that can be connected by cable and also software because software was indirectly in the red directive, but it's a product too, and it's a vector for infection too. And all these laws rest on a specific imperfection of the market, which is that the incentives for the seller are not to take into account, wholly, the welfare of the value chains the seller is contributing to, because what the hell, I have my legal liability, but nothing more. So we want to create a better environment for the whole value chain. So I have this stupid picture here that I have tried to make as a basic taxonomy of what is open source software. I give my thanks to Benjamin from the European Commission because this is based on a scheme by him. So, as we have said, we have two criteria. One is the money, where does the money come from? Does it come from a single contributor, Mr. Maniwax here? Does it come from several contributors each pitching in, or is it the project not monetized at all? And also we have how much the excess of control of collaboration, there can be a single vendor, a single shop, which would be compatible with the model for the new legislative framework. As you know, the new legislative framework governs the whole CE markings and governs everything that is sold in the EU. If you buy a pharmaceutical product, it has a CE marking for pharmaceutical products. If you buy a toy, a children's toy, it has a CE marking for children's toys, saying it's safe. If you buy a piece of metal protection for a road, it has a CE marking too. Well, you can have managed collaboration. The key word here is governance. Does your collaboration have some governance? Have someone who is the captain? And you can have total energy. You can have a non-managed collaboration with no governance at all. And that is how we envision the playing field. Of course, the real world is far more granular than what a law can say. We know, but we have done our best. So the initial purpose of the commission was to include, not to include anything that is not monetized, of course, and not to include anything that had zero governance, but to include within the scope of the CRA, everything else. Of course, this was thought to be too much because, for example, in this part here would be things like some parts of Red Fat, for example, because they have one responsible entity and one stop shop. The Linux kernel would be around here because it is managed collaboration and it is paid for by contributors. But I mean, we heard bad opinions about this. And we have also what is in the mandate of the core part, the council mandate, which is one of the two texts that are now to be debated. So within the scope is only in this text one single responsible entity and one single vendor. And in these fields around, you see some question marks here, on a case-by-case basis, the market surveillance authority of each member state could say, yes, but in your case, you have to be included here because you have many contributors, but you look more like one responsible entity because of your specific model. You have a managed collaboration, but it's so managed, so heavily managed that it looks like a single vendor. So it has good sites, because it lets and also the cybersecurity pledges of FOS, a part of this model. It's good sites and it's bad sites. This is all a trade-off. There's no model that is best in our Goldilocks point where everyone is happy. You buy advantages with disadvantages. One of the disadvantages is that it is more unpredictable because the market surveillance authority may make a decision in your case, which you don't like. And it's also black or white. Either you have the full responsibilities of a responsible entity, of an NFL, an LF vendor, or nothing. And it's very difficult to go from one point from one to the other. Then there is the parliament mandate. The parliament mandate was very broad. They wanted to include everything. But what they've had as of late without going in too much in the discussions, which is confidential, is that they have come around to lessening this a bit. And we have some possible image of a compromise which has been floated in what is called the October text, which has been leaked, that will have two figures. One figure of the NFL vendors, the manufacturers, people who are putting their stuff on the market. And the others would be called stewards, for lack of a better word. These stewards wouldn't have a very light touch supervision regime. Their obligations wouldn't be very much because they are just intermediators. Their obligations would be to intermediate between the market surveillance authority and the pool of contributors from different places. And the integrators. They would also be a way, a step up, between not having anything and having something. And some stewards may in due time come around to be full NFL vendors if they get to be successful enough. This is the proper solution, which I personally think would be best for several reasons. One of them is that, well, in every sector, companies come to us saying, we don't want separation. Leave us out. But it's called that. Having a CE marking is a very good thing. There's a reason why China puts a China export symbol that looks very, very much like the CE marking. And that is that if I'm a manufacturer of this remote and I have to integrate chips and software in it, I can have two options. I can buy chips that have already a CE marking and I don't have to worry anymore. Or I can buy chips that do not have a CE marking and then I have to comply myself with all the duties of certification, of revision, of managing and notifying the vulnerabilities, et cetera. And if you are an open source provider and want your software to be used out there, you will be astute, your producers are not going to choose you because you are too costly and besides, it's not a very manageable cost or a very predictable cost. The cost of an economic vendor is much more predictable. But through this model of stewards, you may in a very lightweight way comply with these requisites and have more market opportunities. And that's what is, I hope I could tell you more but this is currently being negotiated over and I also concur with Kieran. I sincerely desire that we would have more time to give it our good, another go and revise a better possible compromise but time is on us, the Spanish presidency ends very soon and after the EU elections, all these negotiations would have to start from scratch. And the parliament, both parliament and council are very, very keen on getting this over with as soon as possible. Thank you. We do have 10 minutes for questions. Oh, as many minutes as you like. As many minutes, probably 10. First question there. Thank you so much. Is this working? Yeah, for this interesting presentation, the situation seems to be quite complicated and after seeing all those metrics, I'm wondering whether you have created any sort of taxonomy reflecting what would be the implications for European businesses or for European citizens of all the different options there if open source is in some way impacted by CRA according to the current text of the law. So I don't know, is that information? That's a very good question and a very broad one too. So Karen harped a lot on the basic fear of most EU regulators, which is let's not give the final killing blow to our industry. Let's not scale producers away, but frankly, cyber security is here to stay. Cyber resilience will be required, not only in the EU because the problem I have touched upon, the rationale for the CRA is a real one. We live in a cyber security pandemic and you don't want to be the guy who says no, no, no mask for me, I'm asthmatic because you may get away with it, but then you will not be making many friends and influencing people and you will not be commercially successful. So what will be the impact on businesses? Well, the good side of this layer of regulations is that the impact all businesses, all software producers and all producers of goods shall have to comply with the CRA. Of course, we haven't touched this because the CRA is very broad. Depending on the criticality of your product, you will have to comply with harsher requirements or with less harsh requirements. And like 90% of the products out there shall make do with presenting a self-evaluation. So in the end, it will not be so harsh but will this kill off the European businesses? I think not because in the United States this is going to be implemented and in China, in other nations too because this is being demanded. It's being demanded by citizens. This is another part of the thing. We get a lot of pressure from industry lobbyists, from all kinds of manufacturers of equipment, you may imagine, but consumer defense associations are much less effective in loving us and we want to listen to them too. And it's for the sake of the citizens that we do this. And also for the sake of value chains. I mean, the harsher requirements and things like machining tools and things that are used in critical value chains. Cool, yeah. So one of the questions that remains is that you said that, well, CRA is of course on the EU side and then China and the US are also working on their own CRAs like loss. How is the, how is the parliament or how is the EU? We live in a very broad and connected world, right? And most of the, at least of the open source software comes from engineers all around the world. How would this apply to software that's maybe, I don't know, started in the US and then continues in China? And also how do you plan to, not you of course, but the EU stays competitive in terms of productivity and software, whereas the other CRAs around the world might not be as restrictive as this one. That's a really very good question, thank you. Well, as you have said, I'm not planning anything. I'm a small cog in the machine and humble civil servant but I'm inside of the machine so I can see things. The CRA applies to all kinds of goods. I mean, you see your own specific part of the box but it applies to all kinds of industrial goods. Everything that can have a data connection and in the modern world that includes shoes. So yes, that is the case in many places because value chains are all around the world and the things not made in Indonesia and not made in China and not made in Europe they are put together everywhere. So this is not only the case for software, this is the case for everything. And I mean, the EU has a lot of experience in this because the new legislative framework substitutes the formal legislative framework and this is the whole business case of the EU about having a customs union and having free transit along that customs union. What differences does software have with all the physical goods? Well, for one, software is immaterial. So when you talk about physical goods you talk about things that come in containers that arrive in a harbor and are put into a train and they arrive to a very specific member state and it's the members of various authority in that member state that guarantees the CE marking or things that are fabricated in some member state and they are guaranteed the CE marking in a member state or in, for example, or in other countries that have a customs union with the EU as in Turkey or in countries that have a specific kind of a treaty of mutual acceptance. He is looking at the United States and where this is accepted. But in the end, you have got a manufacturer and this manufacturer puts together things as long as the things he manufactures, CE compliant and have a CE marking and the things he buys, CE compliant that have a CE marking, he's okay. And if they don't, he's responsible for that path in software too. A very good question is, but what about the physical presence? Where is the software sold? Well, I personally wanted the software of the CRA regulation to be like the digital services in the NIS directive, which have the main establishment or main representative policy, which is if you sell digital services in the EU, you have to answer to the NIS authority, to the cyber security authority of the place where you have the main establishment. As things stand now, this is not the case here. If you sell in Spain software, you'll get to answer to the market surveillance authority in Spain. Of course, pulling together the supervision resources of member states makes a lot of sense and it makes more sense in software because it's not people standing at a specific harbor and watching things come through, it's more centralized. And there are already initiatives by the European Commission, like the Cyber Solidarity Act, where they talk of pulling all resources, of putting together resources. So I see in the future, some future model coming of unification or pulling together of these supervision actions by member states for the sake of efficiency. But of course, the EU legislation comes more at a glacier pace. Look at, I mean, data protection. Data protection started in the 80s and now we have it's more or less ripe. So every six years, we will be getting a new CRA. As in every six years, we are getting a new NIS directive iteration. And this is one first shot. This is a button, the start shot. In six years, we will hopefully see how this has been working and perfect it.