Assessment of cyber security risks

A mental bridge from product safety-related risk assessment to cyber security risks.

There is a large number of new EU regulations relating to cyber security. Examples include: Cyber Resilience Act (2024/2847), Radio Equipment Directive (2022/30), GPSR (2023/988), Machinery Regulation (2023/1230), NIS-2 (2022/2555), Product Liability Directive (2024/2853), Construction Products Regulation (2024/3110).

Whether DDoS overload attacks stem from 1.6 million compromised TVs (Vo1d), or 49,000 poorly configured access systems exposing information worth protecting, the motivations for better cyber security of networked end products are manifold.

Fig. Assessment of cyber security risks

Under the Cyber Resilience Act (EU) 2024/2847, manufacturers of products with digital elements are required to carry out a cyber security risk assessment. This takes into account the entire life cycle with its planning, design, development, manufacturing, delivery and maintenance phases.

The aim of this article is to build a mental bridge from product safety-related risk assessment to the assessment of cyber security risks.

The purpose of a risk assessment can be manifold. In my practice, it has mostly been product safety assessments, e.g. in connection with the planning and design of an electrical product (see CENELEC Guide 32:2014), or also during the marketing phase to assess possible product defects and their risks in the field (see RAPEX).

For all those people who also have the product safety-related risk assessment school of thought as a starting point, I would like to outline practical steps that are necessary in the context of cyber security in order to then build on the proven methodology. The proven methodology refers to the estimation of the probability of occurrence in combination with the extent of damage that turns an identified hazard into a risk.

The key question is therefore: How do we move from product safety-related risk assessment to the assessment of cyber security risks?

Dr. Gerhard Wiebe, Johannes Daelen and I, Benjamin Kerger, discuss the regulation of product-related cybersecurity in detail in an article published in February 2025 in Kommunikation & Recht (issue 02, in German).

A frequently encountered visualization to explain cybersecurity risks is formed by three sets of circles that have a common intersection, the so-called triad. The individual sets are

  • the threat (=threat),
  • the asset worth protecting (=asset)
  • and the vulnerability.

The common intersection is the risk.
However, it is unclear which sets must overlap in order to lead to a risk. Alternatively, there are also only two circle quantities, or alternatively the damage (=consequence)
in place of another factor. Personally, none of these metaphorical drawings help me in my practical work.

I take the position that there must first and foremost be a good worth protecting and a protection goal. This couple can be exposed to a threat. However, this threat only becomes a threat through a vulnerability.

At this point, we are already back in safe waters. We have a threat. As with the product safety-related risk assessment, we may now estimate (*) the probability of occurrence and the potential damage and thus arrive at the risk we are looking for. Et voilà!

(*) Why "may" and not "must"?

The toolbox is diverse. There are numerous approaches for identifying threats and assessing risks. See, for example, ETSI TR 103 935 V1.1.1 (2023-12) for alternative methods: STRIDE, DREAD, MITRE ATT&CK, Attack Trees, Data-Centric Threat Modeling, Threat Vulnerability and Risk Analysis (TVRA).

With DREAD, we have an alternative approach to matrix-based risk assessment by determining the probability of occurrence and the extent of damage. The identified threats can be prioritized using the DREAD method. After scoring (e.g. 1 to 10) the individual questions of the DREAD score, the total is calculated and thus provides a priority score for each threat.

  • Damage - how bad would an attack be?
  • Reproducibility - how easy is the attack to reproduce?
  • Exploitability - how much effort is required to launch the attack?
  • Affected users - how many people are affected?
  • Discoverability - how easy is it to detect the threat?

Depending on the priority indicator, cyber security measures can then be defined and taken in accordance with Annex I Part I of the CRA in order to adequately counter the identified risks.

 

We look forward to receiving suggestions and exchanging ideas on how you assess cyber security risks in practice. One opportunity for this exchange will be at the 13th GLOBALNORM PRODUCT COMPLIANCE CONFERENCE (in German) on September 16 + 17, 2025 in Berlin.

 

Author's note

This article has been machine translated into English.
 



TERMS AND ABBREVIATIONS

The Cyber Resilience Act (2024/2847) sets out cyber security requirements for hardware and software products placed on the market by companies in the European Economic Area.

The Construction Products Regulation (2024/3110) applies to all products that are permanently integrated into construction works and whose function affects the essential requirements of the construction work.

The Radio Equipment Directive (2022/30) sets out the essential health and safety requirements that radio equipment must meet.

The Machinery Directive (2023/1230) specifies, among other things, the health and safety requirements that must be met in the design and construction of machinery and other products within the scope of application before they can be placed on the market or put into service.

NIS-2 (2022/2555) is an EU directive intended to strengthen the level of cyber resilience in the Union.

The Product Liability Directive (2024/2853) tightens product liability law and applies to all products that are placed on the market or put into service after December 9, 2026.

DDoS: Distributed Denial of Service

CENELEC: European Committee for Electrotechnical Standardization
 

More Information

Published on 11.03.2025
Category: Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Insider-Compliance, Compliance

back to list

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
GLOBALNORM News
Our Christmas campaign “donate rather than send” 2024

Charity instead of Christmas cards

Read more

Awarded as an entrepreneur of the future 2024

First of all: The German Innovation Institute for Sustainability and Digitalization (diind) is a Hamburg-based institution that brings together science and business to provide communication and marketing managers with reliable, high-quality information.

Read more

Produktkanzlei and GLOBALNORM

Offering customers 360° service

Read more

STANDARDS News
Draft DIN EN ISO 12100:2025-12

Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO/DIS 12100:2024)

Read more

New DIN DKE SPEC 99100:2025-02

Requirements for data attributes of the battery passport

Read more

Common specifications (GS) of the EU

Alternative solution if no harmonized standards are available

Read more

COMPLIANCE News
New reporting obligations under the Cyber Resilience Act

The Cyber Resilience Act introduces a new reporting requirement for actively exploited vulnerabilities.

Read more

Assessment of cyber security risks

A mental bridge from product safety-related risk assessment to cyber security risks.

Read more

Updated draft of ecodesign requirements for external power supplies

Expansion to wireless charging pads and USB Type-C cables

Read more

De
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK