Blog | SEP 19, 2025
What Manufacturers Must Know About CRA's Risk Assessment
As digital products continue to dominate markets across Europe, the European Union’s Cyber Resilience Act (CRA) marks a pivotal shift in how cybersecurity is regulated from connected consumer devices to embedded industrial systems. Central to this new regulation is a formal cybersecurity risk assessment, which now becomes a foundational component of both your technical documentation and market access strategy.
What Is the CRA Risk Assessment?
The Cyber Resilience Act (Regulation (EU) 2024/2847) introduces essential cybersecurity requirements for both the design and the lifecycle of a product. Manufacturers must perform a risk-based approach to compliance and incorporate it into their technical documentation. For a deeper breakdown of the regulation's structure, timeline, and scope, refer to our introductory post on the Cyber Resilience Act.
At the heart of CRA compliance is the cybersecurity risk assessment. Article 13 of the regulation explicitly requires that manufacturers shall perform an assessment of the cybersecurity risks associated with a product with digital elements and take the results of that assessment into consideration during the planning, design, development, production, delivery and maintenance process of their product.
The CRA defines risk assessment as the process by which manufacturers identify, analyze, and evaluate cybersecurity risks related to their product’s intended use and foreseeable misuse. This assessment covers vulnerabilities, operational context, lifecycle threats, and exploitation likelihood.
This risk assessment is not optional. It informs which of the Annex I requirements apply to your product and how they should be implemented. There are many different ways to implement a CRA requirement, and manufacturers can choose the approach that best mitigates the identified risks, as long as it is justified in the risk assessment.
Without a documented risk assessment, a manufacturer cannot claim CE marking under the CRA. The risk assessment becomes both a compliance document and a strategic blueprint for secure-by-design development. Risk assessments should inform about these architecture decisions, ultimately manufacturers demonstrating that their chosen cybersecurity measures are a logical response to the product’s identified risks.
Looking for one place that brings the entire CRA together? Visit Tributech’s CRA Guide to navigate essential requirements, implementation details, and regulatory alignment with confidence.
CRA Mentions of Risk Assessment in Articles and Annexes
CRA Reference | Tributech’s Interpretation of Official CRA Reference |
|---|---|
Article 13, 2 | Manufacturers shall conduct a cybersecurity risk assessment for each product with digital elements “and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance…”. |
Article 13, 3 | The cybersecurity risk assessment must be documented and updated regularly. It “shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use”. Based on this, manufacturers must determine which CRA requirements apply, how they are implemented, and why. The assessment should also indicate which Annex I Part I(2) requirements apply, how you apply Annex I Part I(1), and how Annex I Part II vulnerability-handling requirements are met. |
Article 13, 4 | The risk assessment must be included in the product’s technical documentation. If the product is also covered by other EU regulations, this assessment may be combined with those required under those laws. If essential cybersecurity requirements are not applicable to a product, the manufacturer must explain why in that technical documentation. |
Article 13, 7 | Manufacturers are expected to document all relevant cybersecurity aspects of their products in a way that reflects the level of risk. This includes recording any vulnerabilities they discover or are informed of by others. Whenever necessary, they must update the risk assessment to reflect new information. |
Article 54, 2 | When authorities evaluate cybersecurity risks, they can also consider non-technical risk factors, such as supply chain vulnerabilities identified in broader EU-level assessments. If they find that a product with digital elements presents a significant cybersecurity risk in light of non-technical risk factors, they have to inform the relevant EU agencies and coordinate further action if needed. |
Article 56, 2 | If the European Commission believes a digital product poses a significant cybersecurity risk, especially due to supply chain or other non-technical factors, it can alert enforcement authorities and coordinate further actions. This includes working with EU cybersecurity bodies like ENISA and considering broader supply chain impacts. |
ANNEX I, 2 | ”On the basis of the cybersecurity risk assessment referred to in Article 13(2) and where applicable, products with digital elements shall:..” The risk assessment is the starting point that informs how each of the listed 13 essential cybersecurity requirements must be addressed in design, deployment, and maintenance. |
What do the official CRA references mean for Risk Assessments?
According to Article 13(3) of the CRA, in conjunction with Annex I, the cybersecurity risk assessment must include, at a minimum, an analysis of cybersecurity risks based on:
The intended purpose of the product
Reasonably foreseeable use (including potential misuse or unexpected use cases)
The conditions of use, such as the operational environment or the sensitivity of the data and systems it interacts with
It must also take into account the expected product lifespan to ensure that security controls are appropriate over time, not just at release.
As mentioned earlier, this risk assessment is not just an internal exercise, it directly informs the implementation of security requirements laid out in Annex I, Part I (point 2) of the CRA. The assessment must identify:
Which of those requirements apply to the specific product
How they are implemented
Why those implementations are justified, based on the risks identified
Even though the essential cybersecurity requirements from Annex I (e.g., secure by default configuration, confidentiality of data, integrity of data and functions) may already be familiar to readers from our previous blog post, what matters here is that their relevance and implementation must be traced back to the results of the risk assessment. In short: security features must be a direct response to the identified risks, not just a checklist.
The CRA also requires the risk assessment to demonstrate how the product meets the broader obligation in Annex I, Part I (point 1), namely, that the product is "designed, developed and produced in such a way that it ensures an appropriate level of cybersecurity based on the risks."
Finally, the assessment must link to how the manufacturer handles vulnerabilities over the lifecycle of the product, as described in Annex I, Part II. This includes maintaining visibility into known vulnerabilities and software components, documenting how vulnerabilities are discovered, disclosed, and resolved, and updating the risk assessment itself when new threats, vulnerabilities, or usage conditions emerge.
Technical Documentation: What Compliance Requires
Under the CRA, technical documentation serves as the definitive proof of cybersecurity due diligence. It must include the full cybersecurity risk assessment and clearly explain how each security control was selected, tailored, and justified.
The technical documentation must capture the full cybersecurity risk assessment and demonstrate clear traceability between risks identified and the chosen controls. This includes documenting the rationale for each requirement applied (or excluded), supported by references to recognized standards where applicable
It is highly recommended that manufacturers reference recognized standards and cybersecurity frameworks that align with CRA expectations. These could include:
ETSI EN 303 645 – baseline requirements for consumer IoT
EN IEC 62443 – particularly useful for industrial automation and control systems
ISO/IEC 27001 and ISO/IEC 27002 – widely adopted for information security management and control implementation
These frameworks could not only support a structured and repeatable process but are explicitly mapped to CRA requirements by ENISA. For a detailed analysis of how current standards align with Annex I, manufacturers should consult the ENISA CRA Requirements–Standards Mapping.
Looking ahead, many expect new harmonized standards to emerge to fully support CRA conformity assessments. For this, manufacturers should stay engaged with ongoing standardization efforts through CEN/CENELEC, ETSI, ISO/IEC, and ENISA.
Key Triggers for Reassessment
A key part of CRA compliance is knowing when risk assessments must be revisited. Directly quoting from CRA’s Article 3(30), a substantial modification is “any change that may affect compliance with the essential cybersecurity requirements set out in Annex I or the cybersecurity posture of the product with digital elements.”
This can refer to a wide range of changes, such as a software update that alters how the product behaves or interfaces with other systems, the addition of new features that expand the attack surface, a change in the environment in which the product is used (such as integration into a new network or application domain), or new risks emerging from the evolving threat landscape.
When these kinds of changes occur, the manufacturer must reassess cybersecurity risks, update the technical documentation, and, depending on the extent of the impact, possibly undergo a new conformity assessment.
To maintain compliance throughout the product’s lifecycle, manufacturers are expected to implement internal mechanisms for continuously monitoring changes and determining when a reassessment is necessary.
Conclusion
The Cyber Resilience Act sets a clear direction: cybersecurity is no longer optional or reactive, it is required, proactive, and documented. For manufacturers, the cybersecurity risk assessment is both a strategic foundation and a compliance obligation.
By taking a structured approach, rooted in actual product risks, manufacturers can meet CRA expectations and position themselves for CE marking long before the 2027 deadline.
Blog | SEP 19, 2025
)
)
)
)
)