July 20, 2025
Rui Long Lab Inc.
CEO
Summary
This opinion clearly explains the technical and legal grounds for OSS-ECAL being excluded from the scope of the EU Cyber Resilience Act (CRA).
OSS-ECAL Target Applications and Design Scope
OSS-ECAL is designed as software for controlling electronic components that are not directly connected to external networks (IP communication, Wi-Fi, CAN, Bluetooth, etc.).
1. OSS-ECAL Target Applications
OSS-ECAL is control software for the following electronic components.
- Electronic components connected via onboard communications such as SPI (Serial Peripheral Interface) and I2C (Inter-Integrated Circuit) of MCU (microcontroller).
- Electronic components connected by digital signals such as MCU GPIO and PWM.
- Electronic components connected by analog signals such as MCU ADCs and DACs
2. OSS-ECAL Design Scope
As mentioned in the previous section, the scope of OSS-ECAL design does not cover electronic components connected to external networks, and the design does not assume cybersecurity functions.
Basis outside the scope of CRA provision
The CRA defines its scope as “products that have digital elements and are directly or indirectly connected to a network.”
OSS-ECAL is not subject to CRA for the following reasons.
- Does not have external network functionality.
- Does not have cybersecurity features such as authentication, encryption, and remote updates.
Therefore, OSS-ECAL alone does not constitute a factor in the cyber risks targeted by CRA.
Notes for end product developers
OSS-ECAL is not subject to CRA, but depending on the final product in which OSS-ECAL is incorporated, it may be subject to CRA. This is particularly true in the following cases.
- When the final product is configured to be capable of external network communication.
- When security functions such as communication, authentication, and encryption are added to the upper-level software of OSS-ECAL.
- When the final product is distributed and sold for commercial purposes in the EU market.
In such cases, the responsibility for ensuring CRA compliance for the final product as a whole lies with the final product developer. Please note that even if OSS-ECAL itself is not subject to CRA, the final product in which it is incorporated may be subject to CRA.
Conclusion
OSS-ECAL does not include external network connection functions or cybersecurity functions, and therefore is not considered to be subject to CRA at this time.
This is because OSS-ECAL does not have external network connection or security functions and does not fall under the definition of “products that have digital elements and are directly or indirectly connected to a network” as defined by the CRA.
If needed, we can provide SBOM (Software Bill of Materials) and other technical documents to help final product developers determine CRA compliance.