The Cyber Resilience Act (Article 13(2)) requires manufacturers to perform a cybersecurity risk assessment before placing a product with digital elements on the EU market, and to keep that assessment current throughout the product's support period. Without a structured risk assessment, security decisions become reactive and inconsistent, and the organization cannot demonstrate that residual risks have been consciously evaluated and justified against the essential cybersecurity requirements set out in Annex I, Part I.
Establish and maintain a product-level risk assessment that defines the product's intended purpose, considers reasonably foreseeable use and misuse, and identifies all relevant assets, interfaces, and external dependencies. Residual cybersecurity risks must be explicitly identified, evaluated, and justified against the applicable essential requirements. The assessment must be updated whenever technical, environmental, or contextual changes materially affect the product's cybersecurity risk profile.
Maintain the risk assessment as a documented, version-controlled artifact that can be provided to market surveillance authorities upon reasoned request (Article 52(3)). Use a centralized and, where possible, quantified risk profile to ensure consistency across products and teams. Ensure the assessment informs design, development, and post-market decisions throughout the entire product lifecycle.