@@ -414,6 +414,8 @@ Once the present document is cited in the Official Journal of the European Union
**Table A.1: Relationship between the present document and<br />the requirements of Regulation (EU) 2024/2847 - the Cyber Resilience Act**<aname="table_A.1"></a>
| No known exploitable vulnerabilities | NKEV, SSSD, SCUD, NUTI, LOGG |
@@ -456,9 +458,30 @@ Presumption of conformity stays valid only as long as a reference to the present
Other Union legislation may be applicable to the product(s) falling within the scope of the present document.
# Annex C (informative): Cybersecurity threat landscape, risk identification and assessment methodology
# Annex C (informative): Cybersecurity threat landscape, risk identification and assessment methodology (# Annex B)
# Annex B (informative): Security analysis
<mark>Editor's Note: Even if informative, this Annex is mandatory in CRA Vertical Harmonised Standards, as it implements the risk-based approach prescribed in the CRA Regulation.</mark>
This Annex applies state of the art methodology to identify threats, identify and evaluate the risks, and define security profiles applicable to the product different use cases of the product context.
_The standard may implement an existing methodology, referencing the standards where it is defined. Alternatively, the following structure has been proposed as part of the HAS comments received, that may be adapted as relevant for each vertical:_
_B.1 Assets_
_B.2 Risk factors_
_B.3 Assumptions_
_B.4 Threats (including connection to risk factors)_
_B.5 Mapping of risk factors to use cases_
_B.6 Mapping of risk factors to security profiles_
_Use technical language and focus what is relevant from a product perspective_
## B.0 Introduction
This Annex applies state of the art methodology to identify threats, identify and evaluate the risks, and define security profiles applicable to the product different use cases of the product context.