Terms around risks, threats and threat analysis cause confusion. This overview shows what the CRA, IEC 62443 and EN 40000 require.
Key points
- Confusion does not arise from formulas but from terminology, especially at the interface between safety (safety-related risk assessment) and security (threat and risk analysis).
- The Machinery Regulation requires a risk assessment in the sense of functional safety, while the CRA requires an assessment of cybersecurity risk. Both are separate steps with different aims.
- Most frameworks define risk as a combination of likelihood and impact. This applies to the CRA (Article 3 number 37), EN 40000-1-2 (6.4.4), EN IEC 62443-4-1 prAA (SRM-5) and ISO/SAE 21434 (15.8).
- Assessing cybersecurity risk consists of three steps: creating a threat model, assessing the risk of identified threats, and deriving risk-reducing measures for critical threats.
- The TARA in ISO/SAE 21434 is the automotive-specific comprehensive method for performing threat and risk analysis.
- As an overarching term, “assessment of cybersecurity risk” or “Cybersecurity Risk Assessment” from the CRA is useful, although strictly speaking it refers to the management of cybersecurity risks and the assessment is only one part of that.
What does an assessment of cybersecurity risk mean
An assessment of cybersecurity risk answers three questions: which threats can affect the product, how high is the resulting risk, and which risk-reducing measures are necessary? Methodically it relies on three building blocks: the assets to be protected and their security objectives, the identified threats, and the assessment of risk as a combination of likelihood and impact. Based on this, the manufacturer decides on risk treatment and which measures should reduce the critical threats.
That is the common logic. In practice, each framework names this activity differently and places its own emphasis.
Which terms do the individual frameworks use
The following overview assigns the original terms to their respective sources and shows what is specifically required.
| Regulatory framework | Original term | What is required | Scope |
|---|---|---|---|
| Machinery Regulation (EU) 2023/1230 | Risk assessment | Safety-related risk assessment of the machine, methodically according to EN ISO 12100; cybersecurity-relevant are in particular Annex III sections 1.1.9 (protection against corruption) and 1.2.1 (safety and reliability of controls) | Safety, machine as a whole |
| EN 50742 | Threat Assessment | After the risk assessment according to EN ISO 12100, in which all hazards have been identified, the designer performs a Threat Assessment | Safety to security interface at the machine |
| Cyber Resilience Act (EU) 2024/2847 | Assessment of cybersecurity risk | Manufacturers carry out an assessment of cybersecurity risks (Article 13(2)), document it (Article 13(3), Annex VII number 3) and derive which basic requirements from Annex I Part I apply | Security, product with digital elements |
| EN 40000-1-2 (draft) | Risk Assessment (within Risk Management) | Structured method: assets and security objectives (6.4.2), threats (6.4.3), risk estimation (6.4.4), risk evaluation (6.4.5); threat modelling is part of the risk analysis | Security, product, CRA-harmonized |
| IEC 62443-4-1 Ed.1 | Threat Model (SR-2) | Process for a threat model with trust boundaries, attack vectors, threats including severity (for example CVSS) and mitigations | Security, secure development process |
| EN IEC 62443-4-1 prAA (draft) | Security Risk Management (SRM) incl. Threat Model (SRM-4) |
Own risk management practice: method and acceptance criteria (SRM-1), evaluation of threat scenarios by likelihood and impact, risk treatment (SRM-5) | Security, secure development process |
| ISO/SAE 21434 | Threat Analysis and Risk Assessment (TARA) | Modular comprehensive method (Clause 15): asset identification, threat scenario identification, impact rating, attack path analysis, attack feasibility rating, risk value determination, risk treatment decision | Security, road vehicles and their components |
Why safety and security are not the same
The most common terminology error concerns the machinery world. The Machinery Regulation requires a risk assessment, but it means the safety-related assessment of hazards according to EN ISO 12100. It asks: what danger does the machine pose to people? An assessment of cybersecurity risk asks something different: what are the consequences if critical threats are exploited, and which appropriate measures can counter them?
EN 50742 makes this sequence explicit. First the risk assessment according to EN ISO 12100 is carried out with full identification of hazards; afterwards the designer performs a Threat Assessment. The standard therefore deliberately separates two steps: first safety, then security. Anyone who lumps both under the single German word “Risikobeurteilung” loses precisely that separation.
The CRA confirms this. Recital 53 states that compliance with the basic cybersecurity requirements can facilitate the fulfilment of certain requirements of the Machinery Regulation, in particular to protect against corruption and for the safety and reliability of controls. Facilitate, not replace. Manufacturers of machines with digital elements must perform both assessments, which complement each other.
Threat model, risk assessment and TARA — three levels one misunderstanding
Even within the security world the terms become confused. A helpful distinction is three levels.
A Threat Model is a substep, not the complete risk assessment. In IEC 62443-4-1 Ed.1 SR-2 describes the threat model with trust boundaries, data flows, attack vectors and threats including severity. A standalone risk management practice is still missing in that edition. Only EN IEC 62443-4-1 prAA supplements SRM to provide a full Security Risk Management practice: SRM-1 requires a methodology that evaluates the threat scenarios identified in the threat model by likelihood and impact and derives the risk from that. The requirement for the threat model moves to SRM-4.
EN 40000-1-2, intended as the harmonized standard for the CRA, describes in clause 6 risk management elements: the context, the methodology, the risk assessment including threat model, risk treatment and risk communication. The threat model is explicitly a building block of the risk assessment here, not a substitute.
TARA is the automotive-specific comprehensive method of ISO/SAE 21434. It bundles threat analysis and risk assessment into a named, modular procedure. The term TARA belongs in the automotive context. For an industrial product under the CRA, using “TARA” is conceptually incorrect, even if the underlying logic is almost identical.
How closely the methods actually align
Despite different names, the methods are very similar in content. EN 40000-1-2 defines threats in 6.4.3 via three elements: affected asset, compromised security objective and cause of compromise. ISO/SAE 21434 describes a threat scenario in RQ-15-03 almost verbatim: targeted asset, compromised cybersecurity property, cause of compromise.
The approaches to risk treatment also converge. EN IEC 62443-4-1 prAA lists in SRM-6 four options: avoidance, reduction by measures, sharing/transfer and acceptance. ISO/SAE 21434 lists the same four in RQ-15-17: avoiding, reducing, sharing, retaining. EN 40000-1-2 also defines in 6.5 the four options risk avoidance, risk mitigation, risk transfer and risk acceptance.
If you master one method, you already understand the basic logic of the others. What differs are depth of detail, scales and the required scope and content of evidence.
Typical pitfalls for manufacturers
Example 1: networked machine controller with remote maintenance. It falls under the Machinery Regulation and, as a product with digital elements, also under the CRA. If you only carry out a “safety risk assessment” and assume that covers both domains, you miss the fact that the safety assessment under EN ISO 12100 does not capture the threat landscape of the remote maintenance interface. For that you need the assessment of cybersecurity risk under the CRA, methodically supported by EN 40000-1-2.
Example 2: industrial IoT sensor whose development process is set up according to IEC 62443-4-1. If only the threat model according to SR-2 is maintained, the explicit risk assessment and risk treatment expected by the CRA and the forthcoming 62443 drafts are missing. The threat model alone does not fulfil the obligation to assess cybersecurity risk.
Example 3: linguistic pitfall. “TARA” is increasingly used outside the automotive sector. In documentation and in the conformity evidence for a CRA product, the term required by the applicable framework should be used instead.
Conclusion an overarching term with clearly separated substeps
Behind risk assessment, risk management, threat model, threat analysis, TARA and Cybersecurity Risk Assessment lies essentially the same risk logic. The crucial point is to use the right term in each case and to keep safety strictly separate from security. For product-related security, “assessment of cybersecurity risk” or “Cybersecurity Risk Assessment” is recommended as the overarching term, since it follows the terminology of the CRA and EN 40000-1-2 6.4. The threat model remains a substep in threat identification, TARA remains reserved for the automotive world, and the risk assessment under the Machinery Regulation describes the safety-related, not the cybersecurity-related, evaluation.
