What must the CRA risk assessment include?

Article 13(3) of Regulation (EU) 2024/2847 requires the risk assessment to include: an analysis based on intended purpose and reasonably foreseeable use, conditions of use (operational environment), assets to be protected, how the product implements the essential requirements in Annex I, Part I, and how the manufacturer applies vulnerability handling requirements in Annex I, Part II. It must be documented and updated throughout the support period.

How is the CRA risk assessment different from ISO 27005?

ISO 27005 provides a methodology for organizational information security risk management. The CRA risk assessment is product-specific, mapped to the essential cybersecurity requirements in Annex I of Regulation (EU) 2024/2847. ISO 27005 covers your organization's risk posture. The CRA assessment covers a specific product's cybersecurity risks. They operate at different scopes and use different reference frameworks.

How often must the risk assessment be updated?

Article 13(3) requires updates "as appropriate during a support period." Triggers for updates include: new threats relevant to your product, newly discovered vulnerabilities, significant product changes, changes in the threat landscape (new attack techniques), and changes in the operational environment assumptions.

Does the risk assessment need to cover third-party components?

Yes. Article 13(5) requires due diligence on third-party components. The risk assessment should address risks introduced by integrated components: library vulnerabilities, supply chain attacks, and dependency maintenance risks. You do not need to conduct independent risk assessments of each library, but you must assess the risks they introduce to your product.

Can we use CRACheck's risk assessment template alongside our existing risk management process?

Yes. CRACheck generates a CRA-specific risk assessment that maps to Annex I. This complements rather than replaces your existing NIST, ISO, or internal risk management. The CRA assessment is a product-level document that can reference findings from your broader risk management process.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

Article 13(2) of Regulation (EU) 2024/2847 requires every manufacturer to undertake a cybersecurity risk assessment specific to their product. Article 13(3) requires it to be documented, updated throughout the support period, and based on intended purpose, foreseeable use, and operational environment. This is not your organizational risk register — it is a product-specific assessment mapped to the essential requirements in Annex I. CRACheck generates this structured assessment alongside 7 supporting documents.

The CRA cybersecurity risk assessment is distinct from NIST RMF, ISO 27005, or your existing enterprise risk management process. Article 13(2)-(3) requires a per-product analysis covering threats, attack vectors, and mitigations mapped to the essential cybersecurity requirements in Annex I, Part I (product security) and Part II (vulnerability handling). The assessment must be included in the technical documentation under Article 31 and Annex VII. CRACheck generates the structured risk assessment as part of the 8-document dossier in 15-25 minutes for €149. The template follows the CRA structure, not NIST or ISO.

Generate risk assessment + dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 13(2)-(3)

The CRA articles mandating product-specific cybersecurity risk assessment for every manufacturer

Annex I

Part I (product requirements) + Part II (vulnerability handling) — the requirements your risk assessment must map against

€149

Risk assessment plus 7 supporting documents in one session

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Define product scope

Enter your SaaS product details: name, architecture, deployment model, user base. The risk assessment scope follows the product boundary.

Map intended purpose and foreseeable use

Article 13(3) requires the risk assessment to cover intended purpose and reasonably foreseeable use. CRACheck structures this per the CRA requirement.

Identify assets and threats

What data does your product handle? What are the critical functions? What threats apply to your specific architecture? CRACheck guides you through SaaS-relevant threat categories.

Map against Annex I, Part I

Each essential requirement in Annex I, Part I is evaluated against your product: data protection, access control, integrity, availability, secure-by-default, data minimization, encryption, and update mechanisms.

Map against Annex I, Part II

Vulnerability handling requirements: vulnerability identification, documentation, remediation, disclosure, and update distribution.

Assess residual risk

After documenting mitigations, CRACheck structures the residual risk statement required for the technical documentation.

Generate complete dossier

Risk assessment embedded within the technical documentation, plus declaration of conformity, user information, CVD policy, ENISA template, obligations calendar.

Common mistakes

❌

FRAMEWORK MISMATCH

"We have a NIST CSF risk assessment — we will adapt it for CRA"

NIST CSF assesses organizational cybersecurity posture across five functions (Identify, Protect, Detect, Respond, Recover). The CRA requires a product-specific risk assessment mapped to the essential requirements in Annex I, Part I and Part II. Different scope (organization vs. product), different structure (NIST functions vs. CRA annex requirements), different legal basis (voluntary framework vs. EU regulation). Adapting one for the other produces a misaligned document.

❌

ASSESSMENT vs TEST

"Our penetration test report is our risk assessment"

A penetration test identifies specific vulnerabilities in a deployed system. A CRA risk assessment per Article 13(2)-(3) evaluates cybersecurity risks during the planning, design, development, production, delivery, and maintenance phases. The risk assessment is a design-time document covering threat modeling, mitigation strategy, and residual risk acceptance. Penetration testing may inform the assessment but does not replace it.

❌

CONTINUOUS OBLIGATION

"We will perform the risk assessment once and archive it"

Article 13(3) requires the risk assessment to be "documented and updated as appropriate during a support period." New threats, new attack techniques, new vulnerabilities in dependencies, and changes to your product architecture all require reassessment. The risk assessment is a living document maintained for the support period, not a one-time exercise.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification that determines the conformity assessment path and informs the risk assessment scope.

Technical Documentation

Art. 31 + Annex VII dossier with the risk assessment integrated as a core component per Article 13(4).

Risk Assessment

The primary deliverable: structured cybersecurity risk analysis per Article 13(2)-(3), mapped to every applicable requirement in Annex I, Part I and Part II. Covers intended purpose, foreseeable use, operational environment, threat identification, mitigation measures, and residual risk.

User Information

Annex II including residual risk disclosure to users — directly linked to the risk assessment findings.

Declaration of Conformity

Art. 28 + Annex V. The declaration's validity depends on the risk assessment demonstrating compliance with essential requirements.

CVD Policy

Directly addresses Annex I, Part II requirements for vulnerability handling assessed in the risk assessment.

Notification Template

Art. 14. The incident notification process is a risk mitigation measure documented in the assessment. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Risk assessment update triggers, support period milestones, and reassessment schedule.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 CYBERSECURITY RISK ASSESSMENT FIRM

€8,000–€20,000

4-10 weeks. Requires detailed architecture workshops, threat modeling sessions, and multiple review rounds. Output: a bespoke risk report that may or may not follow the Annex I structure.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history