Risk Assessment: The Core of CRA Compliance

In 2026, many embedded devices still have the following security vulnerabilities:

• The support staff can log in via ssh to all devices as root with the same global password, which is easy to guess.
• All applications run with root privileges.
• Major components like the Linux kernel, U-Boot, networking, multimedia, GUI and system libraries reached end of support some time ago.
• Users install updates from a USB drive on the device. As long as the filename of the update follows the right pattern, the update is installed in the root file system.
• Sensitive customer data, machine data and access tokens for cloud services are stored unencrypted on the device.
• When several devices communicate over CAN bus, each device can flood the bus with messages and knock out the other devices.
• When the terminal application hangs or crashes, users can’t continue with their work.

If your device has any of the above or similar vulnerabilities, it violates one or more essential product requirements of Annex I.I of the EU Cyber Resilience Act (CRA). Hence, you - the manufacturer - face heavy penalties and a sales ban.

Your out-of-jail card is to perform a risk assessment of the essential product requirements (Annex I.I). I’ll walk you through a risk assessment using the driver terminal of a harvester as an example.

• Guided by a data-flow diagram of the terminal’s ecosystem, we’ll identify the vulnerabilities. Any vulnerability violates one or more of the essential product requirements.
• We evaluate the risk of each vulnerability with a risk matrix. The risk is a combination of the damage caused by exploiting the vulnerability and the likelihood of the vulnerability being exploited.
• We sort the vulnerabilities by their risk. We mitigate or avoid the risk, if it is too high for us, and accept it, otherwise.
• For vulnerabilities with unacceptably high risk, we devise other mitigation options and re-evaluate the risk for each option. We can choose any option that brings the risk down to an acceptable level - with reasonable effort.
• We update the risk assessment for every new feature. We write tests to detect vulnerabilities early.

I’ll also show you how to document the risk assessment with architecture decision records (ADRs). You can just add the ADRs as-is to the Technical Documentation required by the CRA (Annex VII).

The risk assessment gives you a plan, which security measures to implement for your device. Implementing that plan takes a lot more time. So, you better act now. The closer 11 December 2027 (the date when the CRA fully applies) comes the harder it will be to find qualified and affordable help.