Products with digital elements, such as software and hardware, are required to undergo a cybersecurity risk assessment. This compliance requirement comes from the European Cyber Resilience Act (CRA) as outlined in Regulation (EU) 2024/2847.
For the purpose of complying with paragraph 1, manufacturers shall undertake an assessment of the cybersecurity risks associated with a product with digital elements and take the outcome of that assessment into account during the planning, design, development, production, delivery and maintenance phases of the product with digital elements with a view to minimising cybersecurity risks, preventing incidents and minimising their impact, including in relation to the health and safety of users.
The cybersecurity risk assessment shall be documented and updated as appropriate during a support period to be determined in accordance with paragraph 8 of this Article. That cybersecurity risk assessment shall comprise at least an analysis of cybersecurity risks based on the intended purpose and reasonably foreseeable use, as well as the conditions of use, of the product with digital elements, such as the operational environment or the assets to be protected, taking into account the length of time the product is expected to be in use. The cybersecurity risk assessment shall indicate whether and, if so in what manner, the security requirements set out in Part I, point (2), of Annex I are applicable to the relevant product with digital elements and how those requirements are implemented as informed by the cybersecurity risk assessment. It shall also indicate how the manufacturer is to apply Part I, point (1), of Annex I and the vulnerability handling requirements set out in Part II of Annex I.
Every product faces unique cybersecurity risks by default, influenced by factors such as selected interfaces, technologies, libraries, and protocols. OpenCRAP aims to be the definitive tool for:
- Defining the default risk profile for your product
- Generating an initial cybersecurity risk assessment
- Suggesting and applying appropriate risk treatments
- Digesting and calculating the residual risk assessment
- Generating a comprehensive risk assessment report with residual risk
OpenCRAP will incorporate key insights from established Cybersecurity Risk Assessment standards, including:
- ISO 27005
- ETSI TR 103 935 V1.1.1 (2023-12)
- OpenChain's ISO 18974 (OpenChain Project)
- Provide a tool usable by every product developer needing to generate a risk assessment for their digital element products (software or hardware).
- Achieve industry acceptance as reliable evidence for CRA compliance.