The Cyber Resilience Act (CRA) requires a risk-based approach when developing and supporting products, even those that are only software. The most important part of this is the cybersecurity risk assessment. This document is the main thing that decides which essential cybersecurity requirements you must follow for your product and which ones you don't need to implement. If you don't have this cybersecurity risk assessment, your product will be seen as not compliant in the EU market, no matter how good it is overall. You are in charge of creating this risk assessment.

In this session, we will learn the steps of this formal and documented process to set up a compliant and reliable way to manage cybersecurity risks for your products with digital elements.

We will draw inspiration from standard industry practices for information security risk management and the recently released EN 40000-1-2 draft from the European Committee for Electrotechnical Standardization.

We will start by defining the product's context and defining risk acceptance criteria. Then, we will move to the risk assessment itself. This involves finding and documenting the product's assets and objectives, identifying threats, estimating how big the risks are, and then evaluating the risks to process them further.

To close the risk management loop, we will discuss how to treat risks, how we need to communicate risks to our users and how to monitor and review those identified risks.