irigsoft Posted March 4 Posted March 4 Because this coming soon (in 2027) in all European Union, is there a integrated functionality for this? CRA: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng Unigui will be on market in Europe ? " The EU's Cyber Resilience Act (CRA) is a regulation strengthening cybersecurity rules for hardware and software products, requiring "security by design" throughout their lifecycle. Adopted in late 2024, it mandates CE marking for digital products, with mandatory compliance by December 11, 2027. Manufacturers must report incidents, fix vulnerabilities, and ensure support. EUR-Lex +5 Key Aspects of the Cyber Resilience Act (CRA) Timeline: The regulation entered into force in late 2024, with a 36-month transition period, making most rules applicable from December 11, 2027. Reporting Obligations: Manufacturers must report actively exploited vulnerabilities and severe incidents within 24 hours to the Computer Security Incident Response Team (CSIRT). Conformity Assessment: Products must undergo assessments to prove they meet security standards before being sold in the EU, indicated by a CE mark. Liability: Manufacturers, importers, and distributors bear responsibility for cybersecurity, ensuring that products are not placed on the market with known vulnerabilities. EUR-Lex +7 Scope: Covers almost all products with digital elements (both hardware and software) connected to the internet, from smart home devices to industrial systems. Mandatory Requirements: Manufacturers must conduct risk assessments, provide security updates, maintain vulnerability management, and ensure secure default configurations The CRA aims to reduce costs associated with cyberattacks and improve the security of the Internet of Things (IoT) landscape, ensuring users are better protected. " NIS2: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive Since we are developing software that is under CRA, can we use any of the built-in protections and information that the Unigui team offers (like SBOM (Software Bill of Materials) ?). 1 Quote
irigsoft Posted March 4 Author Posted March 4 Are the uniGUI manufacturers themselves subject to the CRA? Yes, the uniGUI manufacturers themselves (company FMSoft Inc.) are also subject to the Cyber Resilience Regulation (CRA) if they continue to market their product in the European Union. The CRA has extraterritorial effect and applies to any manufacturer of “products with digital elements”, regardless of where their headquarters are located, as long as their product is sold or made available to consumers in the EU. What are FMSoft’s (the manufacturer’s) obligations under the CRA? In order for uniGUI to remain legally on the EU market after 2027, FMSoft must meet the following conditions: Certification and CE marking: They must undergo a conformity assessment procedure and affix the CE mark to their software to ensure that it is developed in accordance with cybersecurity requirements. Vulnerability management: The manufacturer is required to maintain a process for detecting, reporting and fixing vulnerabilities in uniGUI for the entire product support period. Technical Documentation and SBOM: They must prepare detailed documentation and a “Software Bill of Materials” (SBOM) describing all embedded libraries (e.g. Sencha Ext JS). ENISA Reporting: From September 2026, FMSoft will be required to report any actively exploited vulnerabilities in uniGUI directly to European cybersecurity authorities. What does this mean for you (as software developer)? If FMSoft fails to comply with these requirements: Their uniGUI product may be banned from sale and distribution within the EU. You, as a developer, will not be able to legally sell your applications in the EU if they include non-compliant components such as uniGUI. Important: Since Turkey is not a member of the EU, FMSoft will likely need to appoint an Authorized Representative in the EU to be responsible for the product’s compliance with European regulators. So We need a answer and deadline into RoadMap ! I'm planning to update my driver's license, but what about CRA and unigui? Is important for all developers on EU . @Farshad Mohajeri, @Sherzod, @Hayri ASLAN https://blogs.embarcadero.com/what-is-sbom-and-why-is-it-so-important-this-year/ Quote
Sherzod Posted March 4 Posted March 4 Hello, In my opinion this topic may be a bit premature. CRA mainly targets products with digital elements and security lifecycle obligations, but frameworks and development tools are usually treated differently. Most likely vendors will just need to formalize their security processes (updates, vulnerability handling, documentation). I don't think this means frameworks like uniGUI will disappear from the EU market... 1 Quote
irigsoft Posted March 4 Author Posted March 4 22 minutes ago, Sherzod said: Hello, In my opinion this topic may be a bit premature. CRA mainly targets products with digital elements and security lifecycle obligations, but frameworks and development tools are usually treated differently. Most likely vendors will just need to formalize their security processes (updates, vulnerability handling, documentation). I don't think this means frameworks like uniGUI will disappear from the EU market... HI, Even using an old version of Delphi, outdated versions of the OpenSSL library is a problem for CRA. Simply formalizing security processes is not enough. It is necessary to pay more attention to this regulation, because the applications we develop using unigui will not meet the requirements for "security by design". CRA problem: If you use outdated drivers (e.g. SQLOLEDB), you are in violation, because CRA requires the use of components without known vulnerabilities. According to CRA, the developer is responsible not only for the code, but also for the components he uses to connect to the database (e.g. FireDAC, UniDAC, DBExpress) Impact on developed applications: The software that you create with unigui and sell on the EU market may also fall under the scope of the CRA if it meets the criteria for a related product. Quote
irigsoft Posted March 4 Author Posted March 4 31 minutes ago, Sherzod said: Hello, In my opinion this topic may be a bit premature. CRA mainly targets products with digital elements and security lifecycle obligations, but frameworks and development tools are usually treated differently. Most likely vendors will just need to formalize their security processes (updates, vulnerability handling, documentation). I don't think this means frameworks like uniGUI will disappear from the EU market... Like example: Since Delphi is a commercial software product ("product with digital elements") placed on the EU market and capable of direct or indirect connection to a network or device, it must comply with the new security requirements. Quote
irigsoft Posted March 4 Author Posted March 4 1 hour ago, Sherzod said: Hello, In my opinion this topic may be a bit premature. CRA mainly targets products with digital elements and security lifecycle obligations, but frameworks and development tools are usually treated differently. Most likely vendors will just need to formalize their security processes (updates, vulnerability handling, documentation). I don't think this means frameworks like uniGUI will disappear from the EU market... I need to prepare my documentation and the deadline is approaching. Considering that the scope includes API integration with online stores, security libraries and the development core. I would like to be sure that your product has plans to meet these requirements and I would not say that "the question is premature", considering that the regulation is in force since 2024, and in September 2026 the notification requirements come into effect, and in 2027 all products to be sold in the EU (this is our main market) must be ready with all the documentation. I am currently collecting information from all products and after analysis our company will decide which products to discontinue and which products to purchase. The information you provided will be useful for everyone. Classification as "Products with Digital Elements" (PDE): Delphi (IDE and compiler): The tool itself falls under the scope of the CRA if it is placed on the EU market as a commercial product. Its developer (Embarcadero) is responsible for the security of your tool and the production of code (runtime libraries) from it. uniGUI (Web Framework): As a software development framework, it is considered a software component. If integrated into end products, the manufacturer of the end product must include uniGUI in their software bill of materials (SBOM). Magento (e-commerce platform): Magento Open Source: If used in a non-commercial context (development only without selling a service/product), it can be excluded. Adobe Commerce (paid version): Treated as a commercial software product that must meet the "security by design" requirements. SBOM (Software Bill of Materials): Developers using these tools are required to maintain an up-to-date inventory of all built-in libraries and dependencies (e.g. ExtJS in uniGUI). Other example: 3. Vulnerability Management Under the CRA, you are responsible for the security of the libraries you use. If a critical vulnerability is discovered in the Delphi 10.4 standard library (which is out of support), Embarcadero will not release a patch for it. In this case, you would be in violation of the CRA because you are using a "component with known vulnerabilities" for which no fix is available. Quote
Abaksoft Posted March 4 Posted March 4 So, Welcome to AFRICA market. Here, no business contraints... 1 1 Quote
Administrators Farshad Mohajeri Posted March 5 Administrators Posted March 5 Just forget about uniGUI and try realizing how many Delphi 3rd party components are complying with this or will comply in the future? Not only 3rd party components. Is Delphi itself compliance? In short, here is nothing special to uniGUI. In reality, no one will be able to prevent you from buying or downloading uniGUI from our servers. 1 Quote
irigsoft Posted March 5 Author Posted March 5 1 hour ago, Farshad Mohajeri said: Just forget about uniGUI and try realizing how many Delphi 3rd party components are complying with this or will comply in the future? Not only 3rd party components. Is Delphi itself compliance? In short, here is nothing special to uniGUI. In reality, no one will be able to prevent you from buying or downloading uniGUI from our servers. Yes, that's right. Many components and even Delphi. Embarcadero already knows about it and gives useful information about their compatibility plans. I'm trying to gather information about how Unigui will proceed. However, software manufacturers must describe the libraries used and the risks arising from this, as well as whether support for the product is planned and for what period (which is required of us). Imagine that we have to provide support for 10 years, and in the 2nd year a vulnerability is discovered in Unigui and you cannot fix it. For us as a developer, this means that we are "obliged" to replace the core (Unigui) of the software we offer. For this reason, it is important to understand what procedures you will follow regarding the CRA. Even at this point, we should not use old OpenSSL libraries that Indy works with as this is incompatible with the required CRA compliance. I think that in this regard we cannot use unigui for developing our products either, as it does not support TLS 1.3 (not CRA compliant) Quote
irigsoft Posted March 6 Author Posted March 6 @Farshad Mohajeri, As developer we need to apply into our CRA documentations: "Vendor Dependency: You must have a written guarantee (or cite unigui policy) for support and bug fixes." Is there some information about that ? Quote
Administrators Farshad Mohajeri Posted March 6 Administrators Posted March 6 1 hour ago, irigsoft said: @Farshad Mohajeri, As developer we need to apply into our CRA documentations: "Vendor Dependency: You must have a written guarantee (or cite unigui policy) for support and bug fixes." Is there some information about that ? What happens if your subscription is expired? You still have a usable product, but no more bug fixes. What will happen in this case? Quote
irigsoft Posted March 6 Author Posted March 6 1 hour ago, Farshad Mohajeri said: What happens if your subscription is expired? You still have a usable product, but no more bug fixes. What will happen in this case? @Farshad Mohajeri,Your question is entirely relevant and could be answered by an experienced lawyer in European law. I will take the liberty of quoting parts of the Regulation which set out certain rules to follow and on the basis of which I will give my answer: (From CRA) "(40) Given the iterative nature of software development, manufacturers who have placed on the market subsequent versions of a software product as a result of a subsequent substantial modification of that product should be able to provide security updates for the maintenance period only for the latest version of the software product that they have placed on the market. They should be able to do so only if users of the relevant previous versions of the product have free access to the version of the product that was last placed on the market and do not have to incur additional costs for adapting the hardware or software environment in which they use the product. This could be the case, for example, where upgrading a desktop operating system does not require new hardware such as a faster central processor or more memory. However, the manufacturer should continue to comply with other vulnerability remediation requirements during the maintenance period, such as having a coordinated vulnerability disclosure policy or established measures to facilitate the exchange of information on potential vulnerabilities for all subsequent substantially modified versions of the software product placed on the market. Manufacturers should be able to provide minor security or functionality updates that do not constitute a substantial change only for the latest version or sub-version of a software product that has not been substantially modified. At the same time, where a hardware product such as a smartphone is not compatible with the latest version of the operating system with which it was originally shipped, the manufacturer should continue to provide security updates for at least the latest compatible version of the operating system during the maintenance period." (59) In order to ensure the safety of products with digital elements after they are placed on the market, manufacturers should define maintenance periods that should reflect the time during which the product with digital elements is expected to be in use. When defining a maintenance period, the manufacturer should take into account, in particular, the reasonable expectations of users, the nature of the product, as well as the relevant Union legislation defining the life cycle of products with digital elements. Manufacturers should also be able to take into account other relevant factors. The criteria should be applied in a way that ensures proportionality when defining the maintenance period. The manufacturer should provide market surveillance authorities, upon request, with the information that has been taken into account when defining the maintenance period for a given product with digital elements. (60) The maintenance period during which the manufacturer guarantees the effective removal of vulnerabilities should not be shorter than five years, unless the life cycle of the product with digital elements is shorter than five years, in which case the manufacturer should guarantee the removal of vulnerabilities for that life cycle. Where it is reasonable to expect the product with digital elements to be used for more than five years, which is often the case for hardware components such as motherboards or microprocessors, network devices such as routers, modems or switches, and software such as operating systems or video processing tools, manufacturers should accordingly guarantee longer maintenance periods. In particular, products with digital elements intended for use in industrial environments, such as industrial control systems, are often used for significantly longer periods of time. The manufacturer should be able to set a maintenance period shorter than five years only where this is justified by the nature of the product with digital elements concerned and where that product is expected to be used for less than five years, in which case the maintenance period should correspond to the expected time of use. For example, the life cycle of a contact tracing application designed to be used during a pandemic may be limited to the duration of the pandemic. Furthermore, some software applications, by their nature, can only be provided on a subscription basis, in particular when, after the subscription expires, the application becomes inaccessible to the user and therefore no longer usable. (61) When products with digital elements reach the end of their maintenance period, in order to ensure that vulnerabilities can be addressed after the end of the maintenance period, manufacturers should provide for the provision of the source code of such products with digital elements either to other undertakings that undertake to extend the provision of vulnerability remediation services or to the public...... based on this and above: Here's what happens under the CRA if you use a version of uniGUI without an active update subscription: 1. Security Responsibility (Due Diligence) You (the developer using unigui) are responsible for vulnerabilities: According to the CRA, manufacturers must ensure that their products do not contain known vulnerabilities when they are released to the market. Lack of patches: If a critical vulnerability is discovered in uniGUI and your subscription has expired, you will not receive an official fix. Obligation to respond: You (the developer using unigui) are obligated to fix any vulnerability in the components you integrate. If the developer of uniGUI (FMSoft) releases a fix but you do not have access to it, your software will be in violation of the "lifecycle support" requirement. 2. Support and updates Product life cycle: The CRA requires manufacturers to provide security updates for a certain period (usually the expected life of the product). Update failure: Without a new subscription, you lose the ability to fulfill this legal obligation for automatic or regular security updates of the embedded library. 3. Risks and penalties Sale ban: If your software includes incompatible or unsafe components (such as an old version of uniGUI with publicly known holes), it may be banned from sale in the EU. Fines: Violations of the basic cybersecurity requirements can lead to administrative fines of up to €15 million or 2.5% of annual worldwide turnover My answer: Developers have the following options: 1. Purchase a subscription for a new version. 2. Stop development of new versions and continue support for 5 years after the last public version. By this reason information (now) is important ! Quote
irigsoft Posted March 6 Author Posted March 6 2 hours ago, Farshad Mohajeri said: What happens if your subscription is expired? You still have a usable product, but no more bug fixes. What will happen in this case? Here are the critical points you should see when using uniGUI without a subscription in this scenario: 1. Mandatory security updates According to the CRA, you are required to provide security updates for the expected life of the product (usually a minimum of 5 years). If your uniGUI subscription has expired: You do not have access to vulnerability fixes in the core framework itself or in Sencha Ext JS. You cannot guarantee to a new customer that the software is secure “by design” because by using components that are not supported by the original developer (FMSoft). 2. Software Bill of Materials (SBOM) CRA must maintain a Software Bill of Materials (SBOM). It must list all libraries (including uniGUI and its version). If a critical issue appears in the public vulnerability databases (CVE) for your version of uniGUI, regulators will see that you are selling a product with a “known and unpatched vulnerability”. This is a direct violation. 3. Declaration of Conformity (CE Marking) To sell after December 2027, you must issue an EU Declaration of Conformity and affix the CE Mark. As part of the technical dossier, you must prove that you manage the risks. Using software with “expired support” makes this proof almost impossible during an inspection. 4. Your risk as a “Manufacturer” Since FMSoft (the developer of uniGUI) is outside the EU, if they do not comply with the CRA, all responsibility falls on you as the manufacturer/distributor/developer who places a product on the EU market. So, as a developer, I will always have to maintain my Unigui subscription if I fall under the jurisdiction of the CRA. Quote
irigsoft Posted March 7 Author Posted March 7 7 hours ago, rgreat said: Looks like it sucks to be an EU developer. The US has a similar law on this issue. It's not that bad, but if we want to sell in the EU, we have to make plans for what to update, buy and subscribe to. A similar law also applies to laptops, smart technology and other equipment, a 10-year warranty on replacement parts and maintenance service. Quote
Administrators Farshad Mohajeri Posted March 8 Administrators Posted March 8 Publishing security updates for older versions is not an option for us. We only work on current version and can't revisit older versions and publish updates for them. That said, we will take this matter seriously and take the necessary steps to become compliance with it. The deadline is still a bit far away, but we will start reviewing our available options. 1 Quote
irigsoft Posted March 8 Author Posted March 8 1 hour ago, Farshad Mohajeri said: Publishing security updates for older versions is not an option for us. We only work on current version and can't revisit older versions and publish updates for them. That said, we will take this matter seriously and take the necessary steps to become compliance with it. The deadline is still a bit far away, but we will start reviewing our available options. Thanks, that's what I wanted to know. Now I can plan to update (and subscribe) to the latest version and I can count on support. Please add this information to the Roadmap (announce as planned) so that more developers who will need it can see it. 1 Quote
irigsoft Posted March 10 Author Posted March 10 @Farshad Mohajeri, I am sending this to help with Unigui's CRA compliance check.: https://www.cra-toolkit.com/assessment 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.