Skip to main content

Documenting Your Software Risk Assessment: What the CRA Demands

The Cyber Resilience Act is clear: your cybersecurity risk assessment for your app, game, or software needs to be written down. This isn't just good practice; Article 13, Paragraph 3 mandates it, and Annex VII, Point 3 specifies it as part of your technical documentation.

Core Documentation Requirements

Your documented risk assessment must include:

  • An analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use of your software. This includes considering the conditions of use, such as the operational environment or the assets to be protected, and the expected usable lifetime of your product.
  • A clear indication of whether, and how, the specific security requirements listed in Annex I, Part I, point (2) (like secure by default, access control, data protection, etc.) are applicable to your software.
  • An explanation of how these requirements are implemented, informed by your risk assessment.
  • Details on how you are applying the general security by design principle (Annex I, Part I, point (1)) and the crucial vulnerability handling requirements (Annex I, Part II).

Justifying Non-Applicability

What if a specific essential security requirement from Annex I doesn't quite fit your super simple game or app? You can't just ignore it. Article 13, Paragraph 4 states that if certain essential cybersecurity requirements are not applicable, you must include a clear justification for this in the technical documentation. Recital 55 backs this up, explaining that if risks are identified in relation to such a non-applicable requirement, you should still address those risks by other means, like limiting the product's intended purpose or clearly informing users.

Living Document

Remember, this isn't a "set it and forget it" document. Article 13, Paragraph 3 also requires this risk assessment to be updated as appropriate during the support period of your product.

Key Takeway

Your documented software risk assessment is a critical piece of your CRA compliance. It must detail your risk analysis, how essential requirements apply (or why they don’t with justification), and how you're implementing security and vulnerability management.