The Cyber Resilience Act (Annex I, Part I) requires that products with digital elements are designed, developed, and produced to limit attack surfaces and reduce the impact of incidents. Threat modeling is the primary mechanism for uncovering architectural design flaws that cannot be caught by code-level testing alone, and for operationalizing the security by design and security by default principles that underpin the regulation. It ensures that security controls are informed by a realistic understanding of how an adversary could exploit the product's structure.
Apply a defined threat modeling methodology to systematically identify threats, assess design weaknesses, and determine appropriate mitigations across the product's architecture. The analysis must consider relevant data flows, trust boundaries, and interactions with external systems and services. Identified threats and their corresponding mitigations must be traceable to security requirements and architectural decisions, ensuring that every design choice can be justified from a security perspective.
Persist threat modeling outcomes as part of the product's technical documentation (Annex VII). Use structured representations such as data flow diagrams to support the analysis, and review and update threat models whenever changes to the product, its components, or its operating context may materially affect the threat landscape. Ensure that results feed directly into security requirements, design decisions, and subsequent testing activities.