← CRA Glossary
Technical Security

Cybersecurity Risk Assessment

A cybersecurity risk assessment is a systematic process of identifying, analysing, and evaluating security threats and vulnerabilities that could affect a product or system, then determining appropriate mitigations. The EU Cyber Resilience Act requires manufacturers to conduct and document a cybersecurity risk assessment as a precondition for market placement.

A cybersecurity risk assessment is a systematic process of identifying, analysing, and evaluating security threats and vulnerabilities that could affect a product or system, then determining appropriate mitigations. The EU Cyber Resilience Act requires manufacturers to conduct and document a cybersecurity risk assessment as a precondition for market placement.

Technical Security
Free CVD portal →

What Is a Cybersecurity Risk Assessment?

A cybersecurity risk assessment is a structured evaluation of the security risks facing a product throughout its lifecycle — from design and development through deployment, operation, and end of life. It identifies assets worth protecting (data, functionality, safety systems), enumerates plausible threat actors and their capabilities, maps attack paths against the product's attack surface, evaluates the likelihood and impact of each threat scenario, and identifies controls that reduce risk to an acceptable level. The process is typically documented and updated iteratively as the product evolves. Common frameworks include ISO/IEC 27005, IEC 62443-3-2, and ETSI EN 303 645.

CRA reference:Article 13(1), Annex I Part I

Why Risk Assessment Is Required Under the CRA

Article 13(1) of the CRA explicitly requires manufacturers to undertake a cybersecurity risk assessment of their product and to take the outcomes into account during planning, design, development, production, delivery, and maintenance. The risk assessment is not a one-time document: it must be updated whenever new vulnerabilities are identified or when the product's intended use or operating environment changes materially. The assessment forms the analytical foundation for technical documentation (Article 23) and for demonstrating conformity with Annex I essential requirements. Without a documented risk assessment, a manufacturer cannot credibly claim their product meets the CRA's cybersecurity baseline.

CRA reference:Article 13(1), Article 23, Annex I

How Manufacturers Conduct CRA-Compliant Risk Assessments

A CRA-compliant risk assessment should follow a repeatable methodology and produce documented outputs that can be shared with conformity assessment bodies. Key steps include: (1) defining the scope — the product, its components, data flows, and operational environment; (2) identifying threats using a structured method such as STRIDE or attack trees; (3) evaluating likelihood and impact for each threat scenario, often using CVSS as a reference scoring system; (4) mapping existing controls and identifying residual risks; (5) documenting accepted risks with justification; (6) recording the assessment date and committing to a review schedule. The output should be traceable to specific Annex I requirements.

CRA reference:Article 13(1), Annex I Part I(1)

Common Mistakes

Manufacturers frequently produce a risk assessment at the start of development and then treat it as immutable, failing to update it when new vulnerabilities emerge in third-party components or when the product's connectivity changes. A second common error is confusing a risk register with a risk assessment: a list of risks without threat modelling, impact analysis, or control mapping does not satisfy the CRA's requirements. Assessments that ignore supply chain risks — for example, risks introduced by open-source components or subcontracted firmware — are increasingly flagged by market surveillance authorities as incomplete.

CRA reference:Article 13(1)

CVD Portal makes Cybersecurity Risk Assessment compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is a cybersecurity risk assessment mandatory under the EU Cyber Resilience Act?+

Yes. Article 13(1) of the CRA explicitly requires manufacturers to undertake a cybersecurity risk assessment and incorporate its outcomes into the product's design, development, and ongoing maintenance. The risk assessment must be documented and retained as part of the technical documentation. Manufacturers who cannot produce a documented risk assessment when requested by a market surveillance authority are in breach of the regulation.

Which standards can manufacturers use to conduct their CRA risk assessment?+

The CRA is standards-neutral, but manufacturers can reference harmonised European standards once published. Currently accepted frameworks include ISO/IEC 27005 (information security risk management), IEC 62443-3-2 (industrial cybersecurity risk assessment), and ETSI EN 303 645 (consumer IoT). Using a recognised framework and documenting the methodology strengthens the presumption of conformity and simplifies engagement with conformity assessment bodies.

How often must the risk assessment be updated?+

The CRA requires the risk assessment to be reviewed and updated whenever there is a material change — including when new vulnerabilities are discovered in product components, when the intended use or operating environment changes, or when a significant software update is released. There is no fixed calendar interval specified in the regulation, but industry guidance recommends a formal annual review at minimum, with triggered reviews following any significant security incident or major component change.

Related terms

Threat ModelingThreat modeling is a structured technique for identifying, prioritising, and mitigating security threats to a system during its design phase by systematically analysing what could go wrong, who might cause it, and what the impact would be. It is the foundational practice that enables manufacturers to meet the CRA's requirement for risk-informed, secure-by-design product development.Attack SurfaceThe attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.Penetration TestingPenetration testing is a structured, authorised security assessment in which testers simulate real-world attack techniques to identify exploitable vulnerabilities in a product, system, or network before malicious actors discover them. The EU Cyber Resilience Act implicitly requires manufacturers to test their products' security prior to market placement.Annex I Essential RequirementsAnnex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Cybersecurity Risk Assessment fits into your complete CRA compliance programme.

View checklists →