CRA Article 13: Your Software Risk Assessment Rulebook
Think of Article 13 of the Cyber Resilience Act as your direct instructions for handling cybersecurity risk assessments for your software, apps, or games. It’s not just a suggestion; it’s a core obligation for you as a manufacturer.
Perform the Assessment
First up, you must undertake an assessment of the cybersecurity risks associated with your software. This isn't a vague exercise. The CRA expects you to consider this assessment outcome throughout the entire lifecycle of your product: planning, design, development, production, delivery, and maintenance. The goal? To minimize cybersecurity risks, prevent incidents, and lessen their impact if they do happen. This applies whether it’s a game processing user scores or an app handling more sensitive information.
Document and Update
This risk assessment needs to be documented. It’s not enough to just think about it; you need a record. And it’s not a one-and-done deal. You have to update this documentation as appropriate during the support period you define for your software. This means if new threats emerge or you add features, your risk assessment needs to keep pace.
What It Must Cover
Your assessment must analyze risks based on the intended purpose and reasonably foreseeable use of your software. It should also specify how the essential security requirements from Annex I, Part I, point (2) (like secure by default, protection against unauthorized access, data confidentiality) apply to your product and how you’re implementing them. Plus, it needs to detail how you're applying the general security by design principle from Annex I, Part I, point (1) and the vulnerability handling requirements from Annex I, Part II.
This documented risk assessment becomes part of your technical documentation under Annex VII.
Key Takeway
Article 13 mandates a documented, lifecycle-integrated, and regularly updated cybersecurity risk assessment for your software. It’s the proof that you’re building security in, not just bolting it on.