CRA Week: Step 1 Risk Assessment, Threat Analysis, and Product Classification
In this kickoff episode of CRA Week on the EdgeVerse TechCast, hosts Kyle Dando and Bridgette Stone welcome NXP security evaluation and certification expert Eve Atallah to break down the 1st of 4 major steps in Cyber Resilience Act (CRA) compliance: Risk Assessment and product categorization.
Eve explains that manufacturers must first define a product's purpose and core functionality to determine its CRA product category, applicable standards, and conformity assessment path, then perform a risk assessment tailored to the product's specific conditions of use to identify which essential CRA cybersecurity requirements and security measures apply.
She clarifies the difference between threat analysis (which attacks are possible, including vectors and attacker profiles) and risk assessment (what should not happen, likelihood, impact, and risk acceptability)
To wrap up, Eve explains how classification drives the conformity route: self-assessment for default, guided self-assessment for important Class 1, and mandatory third-party assessment for important Class 2 and critical. She notes that harmonized standards are being finalized to assist manufacturers with assesments. These standards are xpected before CRA enforcement in 2027.
Episode Resources:
00:00 Welcome to EdgeVerse TechCast + Introducing CRA Week
01:19 Meet the Expert: Eve Atallah & Why Risk Assessment Is Step One
02:29 Step One Foundations: Product Purpose, CRA Categorization & Risk Assessment
03:58 Risk Assessment vs Threat Analysis: What's the Difference?
06:29 Who Does What? Teams, Expertise & Risk Assessment Deliverables
08:00 How to Identify Device-Specific Threats (Assets, Environment, Interfaces)
10:10 CRA Product Classification: Default vs Important (Class 1/2) vs Critical
12:29 Conformity Assessment Paths: Self-Assessment vs Third-Party + Standards
14:22 Recap, Next Steps (Security by Design) & Closing Announcements
