@@ -4358,15 +4358,11 @@ Each vertical standard defines a set of risk factors. The values of these risk f
Security profiles are use cases grouped together by compatible mitigations. Each security profile describes a set of mitigations which can be used to satisfy the CRA essential requirements for any use case that is part of the security profile.
### E.4.7 Vertical standards may only be used for security profiles in the standard
Use cases whose risks are not addressed by the vertical standard may not use the vertical standard for conformance assessment.
### E.4.8 New use cases and security profiles may be contributed
### E.4.7 New use cases and security profiles may be contributed
New use cases and security profiles may be developed using existing or new risk assessments, risk factors, and mitigations. It is in the manufacturer's interest to contribute the risk assessment and mitigations for their use case to the vertical standard, as they may then get the benefits of conformance via a CRA vertical standard for their product.
### E.4.9 Manufacturer may use any CRA-conformant risk assessment methodology
### E.4.8 Manufacturer may use any CRA-conformant risk assessment methodology
The risk assessment clause of a vertical standard is informative only. It exists to demonstrate that the standards writers have undertaken a risk assessment of the product. The manufacturer is explicitly permitted to use any risk assessment methodology consistent with the essential requirements in the CRA.
