Cyber risk assessment
CRA Art. 13(2)–(3) expects the manufacturer to undertake a cybersecurity risk assessment of the product, keep it updated as appropriate, and include it in the technical documentation (Annex VII §3). Resilic gives each product one current, re-editable assessment — AI-drafted from evidence, human-signed, and kept honest by your live data.
Generate from evidence
Section titled “Generate from evidence”Generate from evidence builds a draft grounded in what Resilic already holds for the product: the register entry, versions and deployments, the SBOM and component inventory, and correlation exposure (EUVD/NVD/CISA KEV). The result is a security context plus candidate threats with citations — e.g. a threat is suggested because the SBOM contains a network-facing component with exploitation history, and the citation says so. The facts are compiled deterministically; AI only phrases the narrative. Candidates are suggestions: you select, edit, add your own, or discard.
Explainable 3×3 scoring
Section titled “Explainable 3×3 scoring”Risks are scored on a fixed likelihood × impact matrix — Low/Medium/High on each axis, mapping to a Low/Medium/High risk level. The mapping is documented in the product and every score traces to its inputs. There is deliberately no black-box scoring and no configurable methodology: explainable beats clever here. Product copy does not claim conformance to any risk-assessment methodology standard.
Approval — and staleness triggers
Section titled “Approval — and staleness triggers”Approving the assessment requires an explicit confirmation and records who approved and when. After approval, Resilic watches for evidence that would invalidate it:
- a new actively-exploited (KEV) match on the product,
- a new SBOM ingested for one of its versions,
- a new deployment of the product.
Any of these flags the assessment “Review required” — the content is never silently edited — and can notify subscribed users (notifications). That is Art. 13(3)’s “updated as appropriate” turned into an operational loop instead of a shelf document.
Where it feeds, and the export
Section titled “Where it feeds, and the export”- An approved assessment populates Annex VII §3 of your technical documentation, replacing the “provide this yourself” placeholder with a cited section.
- The assessment exports as a standalone PDF — approved assessments only. If the assessment is flagged for review, the export prints REVIEW REQUIRED rather than hiding it.
What this is — and isn’t
Section titled “What this is — and isn’t”Art. 13(2)–(3) are duties of the full CRA, from 11 Dec 2027 — readiness framing, not a September 2026 obligation. Resilic structures your own assessment; it does not perform, attest, or certify it. And it is a cybersecurity risk assessment: it does not replace the ISO 12100 machinery safety risk assessment — attach that as evidence where relevant, it is a different document with a different owner.