Conduct a cybersecurity risk assessment before placing on the market

Article 13(2) of Regulation (EU) 2024/2847 requires that manufacturers of products with digital elements shall, taking into account the essential cybersecurity requirements set out in Annex I Part I, carry out an assessment of the cybersecurity risks associated with a product with digital elements.

That assessment shall be taken into account during the planning, design, development, production, delivery, and maintenance phases of the product with a view to minimising cybersecurity risks, preventing security incidents, and minimising the impact of such incidents.

1. Pre-market risk assessment — completed before placing the product on the market
2. Risk-informed design — findings must feed into product design decisions
3. Full lifecycle scope — covers planning, design, development, production, delivery, and maintenance
4. Documentation — the risk assessment forms part of the technical documentation required by Annex VII
5. Proportionality — depth of assessment must be proportionate to the risks

This obligation underpins most other Art. 13 duties. The risk assessment drives:

• Which Annex I Part I requirements apply and how
• The appropriate conformity assessment route (Module A, B+C, or H)
• The declared support period (OBL-ART13-08)
• What vulnerabilities to address before distribution (OBL-ART13-05)

• Cybersecurity risk assessment document (STRIDE, TARA, or equivalent methodology)
• Threat model with attack surface analysis
• Risk treatment decisions linked to design choices
• Records showing the assessment was updated when the product changed