@@ -93,7 +93,9 @@ The present document is created for EU Regulation 2024/2847, the Cyber Resilienc
## 4.5 Risk Factors
For each NMS placed on the market, the manufacturer shall develop a threat model and risk profile of the foreseeable use of the NMS, and shall consider the interplay between:
To obtain conformity with this standard, each NMS placed on the market, the manufacturer should perform an assessment following the methods detailed in Annex C and applying the criteria of Clause 6.
This assessment can provide a risk profile of the intended purpose and foreseeable uses of the NMS product.
When following this standard such an assessment should consider the interplay between:
- The complexity of foreseeable uses
- The likelihood of incidents, given the foreseeable uses
@@ -102,7 +104,9 @@ For each NMS placed on the market, the manufacturer shall develop a threat model
- The likelihood of an incident, given the foreseeable use
- The impact of an incident, given the foreseeable use
The security profile requirements in clause X reflect use cases and intended deployment of the NMS. Security profiles are based on overall risk of the product, a combination of likelihood and potential impact of incidents. Individual risks are judged using the risk factors described here in Annex D, and determine the degree and type of security needed for specific related security requirements.
The technical requirements in clause 5 reflect the risks and provide mitigations for the use cases provided in clause 4.6 and intended deployment of NMS products.
Individual risks are judged using the risk factors described here, and determine the degree and type of security needed for specific related security requirements.
Clause 5.X maps each use case to a set of mitigations that reflect these risk factors and the overall risk of the product as a combination of the likelihood and potential impact of incidents.
Risk factor analysis of all appropriate risk factors can be combined to determine an overall risk of the product and label its risk as low, medium, or high. With this approach, each risk factor provides a description of high or low risk related to a particular aspect of the product and when combined a way to judge its overall security needs.
