3.4 Risk Assessment
Methodology
Risk assessment for vulnerabilities and products is based on established standards:
- CVSS v3.1/v4.0 -- Common Vulnerability Scoring System for individual CVEs
- SSVC -- Stakeholder-Specific Vulnerability Categorization for prioritisation
- CRA Annex I -- Requirements catalogue as the assessment framework
LEGAL BASIS
Art. 10(2) CRA: "The manufacturer shall carry out a cybersecurity risk assessment of the product with digital elements and shall take the result of that assessment into account during the planning, design, development, production, delivery, and maintenance of the product."
CVE Risk Assessment (Individual Vulnerabilities)
CVSS-Based Initial Assessment
| CVSS Score | Severity | CRA Priority |
|---|---|---|
| 9.0 -- 10.0 | Critical | P0/P1 |
| 7.0 -- 8.9 | High | P2 |
| 4.0 -- 6.9 | Medium | P3 |
| 0.1 -- 3.9 | Low | P4 |
Contextual Assessment
The CVSS score is supplemented by a contextual analysis:
| Factor | Assessment | Weighting |
|---|---|---|
| Exploitability | Actively exploited / PoC available / Theoretical | High |
| Reachability | Network / Local / Physical | High |
| Data exposure | Personal data / Business data / None | Medium |
| Prevalence | Number of affected products / customers | Medium |
| Mitigability | Fix available / Workaround / None | Medium |
Decision Matrix
Exploitability
Active PoC Theoretical
Severity +----------------------------------+
Critical | P0 P1 P1 |
High | P1 P2 P2 |
Medium | P2 P3 P3 |
Low | P3 P4 P4 |
+----------------------------------+Product Risk Assessment (CRA Art. 10(2))
A cybersecurity risk assessment is carried out for each CRA-relevant product. Use the Risk Assessment Template.
Assessment Categories
1. Threat Analysis
- Who are potential attackers? (Script kiddies, organised crime, state actors)
- What attack vectors exist? (Network, physical, supply chain)
- What assets are at risk? (Data, functionality, availability)
2. Impact Analysis
- Confidentiality: What data could be disclosed?
- Integrity: What data/functions could be manipulated?
- Availability: What downtime is acceptable?
- Safety: Could physical damage occur? (relevant for firmware/IoT)
3. Likelihood Assessment
- Attack complexity
- Required privileges
- User interaction required
- Attack vector exposure
Risk Matrix
Likelihood
High Medium Low
Impact +----------------------------------+
Critical | CRITICAL HIGH MEDIUM |
Significant | HIGH HIGH MEDIUM |
Moderate | HIGH MEDIUM LOW |
Minor | MEDIUM LOW LOW |
+----------------------------------+Documentation Obligation
Each risk assessment must document:
- Date of assessment
- Assessed product/version
- Identified risks with assessment
- Measures taken for risk mitigation
- Remaining residual risks with justification
- Responsible assessor
- Next review date
The risk assessment is part of the technical documentation (Annex VII) and must be updated in the event of material changes to the product or new threat landscapes.