Skip to main content

When to Update Your Software Risk Assessment: New Features & Vulnerabilities

Your software's cybersecurity risk assessment isn't a historical artifact; it's a living document. The Cyber Resilience Act (CRA) requires you to update it "as appropriate during a support period" (Article 13, Paragraph 3). So, when exactly is "as appropriate" for your app, game, or software?

Key Triggers for an Update

  1. Substantial Modifications: This is a big one. A "substantial modification" is a change post-market placement that affects compliance with essential cybersecurity requirements or modifies the intended purpose (Article 3,) point (30)). Recital 39 explains that if a software update modifies the original intended functions or the nature of the hazard has changed or the level of risk has increased, it's likely substantial. Adding a new online multiplayer mode to a previously offline game? That probably needs a risk assessment update. Fixing a minor bug? Maybe not. If a modification is substantial, you might even need a new conformity assessment (Recital 41).

  2. New Features or Functionality: Even if not "substantial" enough to trigger a full new conformity assessment, adding any significant new feature to your app or game introduces new code, new attack surfaces, and potentially new risks. Revisit your risk assessment.

  3. Newly Discovered Vulnerabilities: When you or a third party discovers a significant vulnerability in your software or a key dependency (like your game engine), you need to assess its impact. This feeds into your vulnerability handling (Annex I, Part II) and should prompt a review of your existing risk assessment. Article 13, Paragraph 7 requires you to systematically document vulnerabilities you become aware of and update the risk assessment where applicable.

  4. Changes in the Threat Landscape: If new attack techniques emerge that are particularly relevant to your type of software (e.g., new cheating methods for online games, new exploits for app frameworks).

  5. Changes in Operating Environment: If your app now supports a new operating system, or your backend software is migrated to a new cloud provider, the risk profile might change.

  6. Periodic Reviews: Even without specific triggers, it's good practice to periodically review your risk assessment (e.g., annually) to ensure it still accurately reflects the security posture of your software.

Key Takeway

Treat your software's risk assessment as a dynamic tool. Update it whenever your product undergoes significant changes, new vulnerabilities are found, or the operational context shifts. This ongoing diligence is central to the CRA's approach to cybersecurity.