EU Cyber Resilience Act FAQ Cybersecurity Risk Assessment

Article 13 requires the manufacturer to assess the cybersecurity risks associated with a product with digital elements and use the outcome during planning, design, development, production, delivery, and maintenance.

The assessment should show how the manufacturer is minimising cybersecurity risks, preventing incidents, and reducing incident impact, including effects on user health and safety where relevant. It should connect product assumptions, threats, mitigations, tests, and residual risks to the essential requirements in Annex I.

Every in-scope product with digital elements needs one. Classification as an important or critical product affects conformity assessment routes and assurance expectations, but it does not supersede the Article 13 risk assessment.

The Commission FAQ is explicit that default-category, important, and critical products all require a comprehensive cybersecurity risk assessment. The depth of treatment should reflect the product's actual risk profile, intended use, deployment context, and expected exposure.

At minimum, Article 13(3) requires an analysis of cybersecurity risks based on the product's intended purpose, reasonably foreseeable use, conditions of use, and the length of time the product is expected to be in use.

The conditions of use can include the operational environment, the assets to be protected, user skill assumptions, connected systems, and deployment constraints. Those inputs should be specific enough to explain why particular Annex I requirements apply, why others do not, and how selected controls are proportionate to the risks.

They define the threat model and the level of risk treatment expected for the product. The same type of product may require different controls if one version is intended for a residential setting and another is intended for critical infrastructure or another high-exposure environment.

Reasonably foreseeable use is broader than the manufacturer's preferred use case. It covers uses likely to result from foreseeable human behaviour, technical operations, or interactions. The assessment should therefore record excluded assumptions, supported environments, user groups, and foreseeable integrations that materially affect cybersecurity.

Yes. The CRA user-information rules require disclosure of known or foreseeable circumstances linked to intended use or reasonably foreseeable misuse that may lead to significant cybersecurity risks.

For the assessment, that means manufacturers should not rely only on ideal secure deployment. If misuse, misconfiguration, insecure integration, unsupported environments, or predictable user behaviour could create significant cybersecurity risk, the file should show whether the risk is mitigated in the product, constrained by instructions, or treated as a residual risk communicated to users.