Skip to content

Cyber risk assessment

CRA Art. 13(2)–(3) expects the manufacturer to undertake a cybersecurity risk assessment of the product, keep it updated as appropriate, and include it in the technical documentation (Annex VII §3). Resilic gives each product one current, re-editable assessment — AI-drafted from evidence, human-signed, and kept honest by your live data.

Generate from evidence builds a draft grounded in what Resilic already holds for the product: the register entry, versions and deployments, the SBOM and component inventory, and correlation exposure (EUVD/NVD/CISA KEV). The result is a security context plus candidate threats with citations — e.g. a threat is suggested because the SBOM contains a network-facing component with exploitation history, and the citation says so. The facts are compiled deterministically; AI only phrases the narrative. Candidates are suggestions: you select, edit, add your own, or discard.

Risks are scored on a fixed likelihood × impact matrix — Low/Medium/High on each axis, mapping to a Low/Medium/High risk level. The mapping is documented in the product and every score traces to its inputs. There is deliberately no black-box scoring and no configurable methodology: explainable beats clever here. Product copy does not claim conformance to any risk-assessment methodology standard.

Approving the assessment requires an explicit confirmation and records who approved and when. After approval, Resilic watches for evidence that would invalidate it:

  • a new actively-exploited (KEV) match on the product,
  • a new SBOM ingested for one of its versions,
  • a new deployment of the product.

Any of these flags the assessment “Review required” — the content is never silently edited — and can notify subscribed users (notifications). That is Art. 13(3)’s “updated as appropriate” turned into an operational loop instead of a shelf document.

  • An approved assessment populates Annex VII §3 of your technical documentation, replacing the “provide this yourself” placeholder with a cited section.
  • The assessment exports as a standalone PDF — approved assessments only. If the assessment is flagged for review, the export prints REVIEW REQUIRED rather than hiding it.

Art. 13(2)–(3) are duties of the full CRA, from 11 Dec 2027 — readiness framing, not a September 2026 obligation. Resilic structures your own assessment; it does not perform, attest, or certify it. And it is a cybersecurity risk assessment: it does not replace the ISO 12100 machinery safety risk assessment — attach that as evidence where relevant, it is a different document with a different owner.