If the Likelihood and Impact of a risk are already Low or have been reduced to Low by application of mitigations, then the risk is acceptable. Alternatively, the risk may be transferred to the user or the operational environment, given proper justification.
## D.4 Risk acceptance criteria
## D.4 Risks not treated by the requirements
> Describe how to decide if residual risks are tolerable.
For each risk untreated by the product itself, a corresponding mitigation has been created to explicitly permit the risk to be transferred to the user or operational environment. These are:
## D.5 Residual risks
> Describe how to treat any residual risks, for example by documenting them or informing the user.
* MI-KEVD
* MI-KEVM
* MI-DPAH
* MI-PDDI-1
* MI-SUDC
* MI-SUOE
* MI-SUAO
* MI-DOCC
* MI-DOST
# Annex E: Explanation of the present document (informative only)
