The risk assessment of the essential product requirements is the most important, most time-consuming and least understood of CRA compliance. It answers a crucial question: Can you upgrade your embedded system to a current version, free it from exploitable vulnerabilities and keep it that way - with reasonable effort?

The answer can go either way: yes or no. If yes, manufacturers should have a broad idea what they must do and how long it will take. They know in which order to implement the security measures. If no, manufacturers must stop selling their embedded systems before 11 Dezember 2027.

Answering the upgradability question early is essential for manufacturers, as the answer - positive or negative - has a significant impact on their business. The risk assessment  of the essential product requirements is the key to the answer. Hence, manufacturers should know how to perform one.

You find links to my posts and talks about risk assessment of the essential product requirements on this overview page. It all started with a mini series in my newsletter. Then, I turned the episodes into a talk that I gave at several occasions:

Mini Series in my Newsletter

As I had suffered through too many tedious and useless risk assessments in my career, I was looking for a lightweight process and a good way to document the risks. I published my findings in my newsletter Better Built By Burkhard. As I explained my process with a real-life example - a driver terminal of a harvester, the 3-episode series quickly turned into a 5-episode series. Here are the links to the episodes with a short summary.

  • Episode 63: Prerequisites. Article 13(1-4) requires manufacturers to perform a risk assessment for the essential product requirements listed in Annex I, Part I. As manufacturers, we must ensure that the risk of violating any of the requirements is acceptable - during the entire support period of their product. With a risk matrix, we can determine the risk from the damage (5 levels from "negligible" to "catastrophic") and the likelihood (5 levels from "rare" to "almost certain").
  • Episode 64: Identifying Risks. I combine Adam Shostack's Four Questions Framework for Threat Modeling with Lean Six Sigma's 5-step risk assessment method to keep the CRA risk assessment as lean as possible. The step "Identifying risks" answers the questions "What are working on?" and "What can go wrong?". The result is a list of user stories. Each story contains a list of the essential requirements it violates.
  • Episode 65: Evaluating and Prioritising Risks. We first estimate the damage that violations of the essential requirements can cause and then the likelihood with which the violations can occur. We take the damage and likelihood as the index into the risk matrix from the Prerequisites to determine the risk. Sorting the user stories by their risk gives us the order in which to mitigate them.
  • Episode 66: Mitigating and Reviewing Risks. For each user story, we generate at least one more mitigation option in addition to the do-nothing option. We re-evaluate the risk for each mitigation option. We select one or more mitigation options to reduce the risk to an acceptable level. This answers the question "What are we going to do about it?". Business people - from the product manager up to the CTO and CEO - must be involved in the decision making process. We must adapt the risk assessment during the support period of our product, whenever we implement a new user story.
  • Episode 67: Documenting Risks. In the final episode, I use security decision records (SDRs) - an obvious variant of the better known architecture decision records (ADRs) - to document the risk assessment. We can add the SDRs verbatim into the Technical Documentation (Annex VII(3)).

Talk at Torizon CRA Summit 2025

Toradex invited me to talk at their Torizon CRA Summit In Zürich, Switzerland, and to participate in the Fireside Panel: Open Source and the CRA. The talks and the panels were recorded. The videos should soon be available through the Torizon website. Here are my presentation slides.

Presentation "Risk Assessment of Essential Product Requirements by Example" at the Torizon CRA Summit 2025

Talk at ESE Congress 2025

My talk "Building an EU CRA Compliant Operator Terminal" was accepted at the Embedded Software Engineering Congress (1-5 December 2025, Sindelfingen, Stuttgart). My talk is scheduled for Thursday, 4 December 2025, at 16:35. Although the title is different to my talk at the Torizon CRA Summit, the content is the same. I just have 40 instead of 30 minutes to talk about risk assessment.

I had to provide an abridged text version of my talk for the conference volume. The talk will be recorded. You'll get access to the conference volume and the video only if you pay the fees for the conference.