What methodology should I use for the CRA risk assessment?

Regulation (EU) 2024/2847 does not prescribe a specific methodology. Art. 13(2)–(3) defines the scope and minimum content. You may use ISO 27005, IEC 62443-4-1, NIST CSF, or any other methodology as long as the output covers: intended purpose, foreseeable use, operational environment, assets to be protected, and applicability of each Annex I, Part I, point (2) requirement.

Must I justify every Annex I requirement that does not apply?

Yes. Article 13(4) of Regulation (EU) 2024/2847 states that where certain essential cybersecurity requirements are not applicable to the product with digital elements, the manufacturer shall include a clear justification to that effect in that technical documentation. Every non-applicable requirement needs an explicit rationale.

Is the CRA risk assessment the same as a DPIA under GDPR?

No. The CRA risk assessment under Art. 13(2)–(3) focuses on cybersecurity risks to the product and its users. A DPIA under GDPR focuses on data protection risks to data subjects. They are different instruments under different regulations. A product may require both.

Is this a subscription?

No. One-time payment. The licence includes a 30-day editing window and 10 regenerations. The downloaded PDF is yours permanently.

Can I request a refund?

Article 16(m) of Directive (EU) 2011/83 applies. Upon licence activation, you give express consent for immediate generation of the digital content, waiving the 14-day withdrawal right. Refunds are accepted only for a reproducible technical defect.

What if the regulation changes?

If the regulation is amended during your licence validity period, you can regenerate the documentation using the updated version of the generator at no additional cost.

Article 13(2) of Regulation (EU) 2024/2847 requires you to undertake a cybersecurity risk assessment and take its outcome into account during planning, design, development, production, delivery, and maintenance. Article 13(3) specifies the minimum scope: intended purpose, reasonably foreseeable use, conditions of use, operational environment, assets to be protected, and expected use time. Annex VII, point 3 requires this assessment to be part of your technical documentation. CRACheck generates it.

Q: How often must the risk assessment be updated?

Article 13(3) requires the assessment to be updated as appropriate during the support period. Article 13(7) adds that manufacturers shall systematically document cybersecurity aspects including vulnerabilities of which they become aware. This means updates triggered by new vulnerabilities, component changes, threat landscape shifts, or third-party information.

The risk assessment is not a checkbox. It is the analytical engine that drives your entire CRA compliance strategy. Art. 13(3) requires it to indicate whether and how each security requirement under Annex I, Part I, point (2) applies to your product. Art. 13(4) requires it to be included in the technical documentation under Annex VII. Art. 13(3) also requires it to be "updated as appropriate" during the support period. Where a requirement does not apply, Art. 13(4) mandates a "clear justification" in the documentation. CRACheck generates the risk assessment structure mapped against every Annex I, Part I requirement. 15–25 minutes. €149.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Risk assessment at a glance

Art. 13(2)

Legal basis for risk assessment

Annex I Part I(2) requirements to assess

Annex VII(3)

Where the assessment sits in the technical file

How to conduct the CRA risk assessment

Define the assessment scope

Art. 13(3): intended purpose, reasonably foreseeable use, operational environment, assets to be protected, expected use time.

Identify cybersecurity risks

Map threats relevant to your product: unauthorised access, data interception, firmware tampering, supply chain compromise, denial of service, physical attack vectors.

Assess against Annex I, Part I(2)

For each of the 13 sub-points (a)–(m), determine applicability and document how your product meets the requirement. Where a requirement does not apply, prepare the justification per Art. 13(4).

Assess vulnerability handling requirements

Annex I, Part II: SBOM (1), patching (2), testing (3), disclosure (4)–(5), reporting contact (6), update distribution (7), free updates (8).

Document risk treatment

For each identified risk, document how it is mitigated by design, development, or production measures per Art. 13(1).

Run CRACheck

Input your product data and risk assessment results. CRACheck structures the assessment per Annex VII, point 3, with cross-references to Annex I, and integrates it into the 8-document technical file.

Plan for updates

Art. 13(3) requires the risk assessment to be "updated as appropriate" during the support period. Establish a trigger-based review process.

Three mistakes manufacturers make with risk assessments

❌

GENERIC ASSESSMENT

Reusing a company-level cybersecurity risk assessment instead of a product-specific one

Art. 13(3) requires the assessment to be based on "the intended purpose and reasonably foreseeable use" of the specific product. A corporate risk register covering IT infrastructure does not satisfy the product-level requirement of Annex VII, point 3.

❌

MISSING JUSTIFICATIONS

Declaring Annex I requirements "not applicable" without documenting why

Art. 13(4) explicitly requires "a clear justification" in the technical documentation for any essential cybersecurity requirement that is not applicable to the product. Blank fields or unchecked boxes without explanation are non-compliant.

❌

FROZEN ASSESSMENT

Conducting the risk assessment once at product launch and never updating it

Art. 13(3) requires the assessment to be "documented and updated as appropriate during a support period." Art. 13(7) requires systematic documentation of "relevant cybersecurity aspects" including vulnerabilities and third-party information. A static assessment from launch day degrades as new threats emerge.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Category per Annex III/IV. The classification determines the conformity assessment route under Art. 32, which in turn determines the scrutiny applied to your risk assessment.

Technical Documentation

Annex VII structure. Point 3 integrates the risk assessment showing how Annex I Part I requirements apply.

Risk Assessment

The core deliverable. Structured per Art. 13(2)–(4): scope definition, threat identification, Annex I Part I(2) sub-point mapping (a–m), Annex I Part II mapping, risk treatment, justification for non-applicable requirements.

User Information

Per Annex II. The risk assessment informs what users need to know under Annex II, point 5: foreseeable circumstances that may lead to cybersecurity risks.

Declaration of Conformity

Per Art. 28 and Annex V.

CVD Policy

Per Annex I, Part II, point (5). The CVD process handles vulnerabilities that the risk assessment identifies as residual risks.

Notification Template

Per Art. 14. Identified risks inform the severity classification for vulnerability notifications. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Maps risk assessment review triggers and update deadlines through the support period.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 THE ALTERNATIVE

Commissioning a cybersecurity consultancy to perform a CRA-specific risk assessment, map it against Annex I, and produce the Annex VII documentation.

€12,000–€25,000

6–12 weeks per product. New product revision, new assessment.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history