Terms around risks, threats and threat analysis cause confusion. This overview shows what the CRA, IEC 62443 and EN 40000 require.
Key points in brief
- Confusion arises not around formulas but around terminology, especially at the interface between safety (safety-related risk assessment) and security (threat and risk analysis).
- The Machinery Regulation requires a risk assessment in the sense of functional safety, while the CRA requires an assessment of cybersecurity risk. These are separate steps with different aims.
- Most frameworks define risk as a combination of likelihood and severity. This applies to the CRA (Article 3 No. 37), EN 40000-1-2 (6.4.4), EN IEC 62443-4-1 prAA (SRM-5) and ISO/SAE 21434 (15.8).
- Assessing cybersecurity risk consists of three steps: creating a threat model, assessing the identified threats, and deriving risk-reducing measures for the critical threats.
- The TARA from ISO/SAE 21434 is the automotive-specific overall method for carrying out threat and risk analysis.
- As a generic term, “assessment of cybersecurity risk” or “cybersecurity risk assessment” from the CRA is useful, even though it really refers to the management of cybersecurity risks and the assessment is only one part.
What does an assessment of cybersecurity risk mean?
An assessment of cybersecurity risk answers three questions: which threats can affect the product, how high is the resulting risk, and which risk-reducing measures are necessary? Methodically it relies on three building blocks: the assets worth protecting and their security objectives, the identified threats, and the evaluation of risk as a combination of likelihood and severity. On this basis, the manufacturer decides on risk treatment and which measures should reduce the critical threats.
That is the common logic. In practice each framework names this activity differently and sets its own emphases.
Which terms do the individual frameworks use?
The overview below assigns the original terms to their respective sources and shows what is specifically required.
| Framework | Original term | What is required | Scope |
|---|---|---|---|
| Machinery Regulation (EU) 2023/1230 | Risk assessment | Safety-related risk assessment of the machine, methodologically according to EN ISO 12100; cybersecurity-relevant are in particular Annex III sections 1.1.9 (protection against corruption) and 1.2.1 (safety and reliability of control systems) | Safety, machine as a whole |
| EN 50742 | Threat assessment | After the risk assessment according to EN ISO 12100, in which all hazards have been identified, the designer performs a threat assessment | Interface safety to security at the machine |
| Cyber Resilience Act (EU) 2024/2847 | Assessment of cybersecurity risk | Manufacturers carry out an assessment of cybersecurity risks (Article 13(2)), document it (Article 13(3), Annex VII No. 3) and derive which fundamental requirements from Annex I Part I apply | Security, product with digital elements |
| EN 40000-1-2 (draft) | Risk assessment (within risk management) | Structured method: assets and security objectives (6.4.2), threats (6.4.3), risk estimation (6.4.4), risk evaluation (6.4.5); threat modelling is part of the risk analysis | Security, product, CRA-harmonized |
| IEC 62443-4-1 Ed.1 | Threat model (SR-2) | Process for a threat model with trust boundaries, attack vectors, threats including severity (for example CVSS) and mitigations | Security, secure development process |
| EN IEC 62443-4-1 prAA (draft) | Security risk management (SRM) including Threat model (SRM-4) |
Own risk management practice: method and acceptance criteria (SRM-1), evaluation of threat scenarios by likelihood and impact, risk treatment (SRM-5) | Security, secure development process |
| ISO/SAE 21434 | Threat analysis and risk assessment (TARA) | Modular overall method (Clause 15): asset identification, threat scenario identification, impact rating, attack path analysis, attack feasibility rating, risk value determination, risk treatment decision | Security, road vehicles and their components |
Why safety and security are not the same
The most common terminology error concerns the machinery domain. The Machinery Regulation requires a risk assessment, but it means the safety-related assessment of hazards according to EN ISO 12100. That asks: what danger does the machine pose to people? An assessment of cybersecurity risk asks something different: what are the consequences if critical threats are exploited, and which appropriate measures can counteract them?
EN 50742 makes this sequence explicit. First the risk assessment according to EN ISO 12100 is carried out with complete identification of hazards; afterwards the designer performs a threat assessment. The standard therefore deliberately separates two steps: first safety, then security. Anyone who bundles both under the German word “Risikobeurteilung” loses that distinction.
The CRA confirms this. Recital 53 notes that compliance with the basic cybersecurity requirements can facilitate meeting certain requirements of the Machinery Regulation, in particular protection against corruption and the safety and reliability of control systems. Facilitate, not replace. Manufacturers of machines with digital elements must carry out both assessments; they complement each other.
Threat model, risk evaluation and TARA: three levels, one misunderstanding
Even within the security world the terms get mixed up. A useful distinction is three levels.
A threat model is a substep, not the full risk assessment. In IEC 62443-4-1 Ed.1 SR-2 describes the threat model with trust boundaries, data flows, attack vectors and threats including severity. A standalone risk management practice is still missing in that edition. Only EN IEC 62443-4-1 prAA supplements SRM to provide a complete security risk management practice: SRM-1 requires a methodology that evaluates the threat scenarios identified in the threat model by likelihood and impact and derives the risk. The requirement for the threat model moves to SRM-4.
EN 40000-1-2, intended as a harmonised standard to the CRA, describes in Clause 6 risk-management elements: the context, the methodology, risk evaluation including threat model, risk treatment and risk communication. The threat model is explicitly a building block of the risk assessment here, not a substitute.
TARA is the automotive-specific overall method of ISO/SAE 21434. It bundles threat analysis and risk assessment into a named, modular procedure. The term TARA belongs in the automotive context. For an industrial product under the CRA, using “TARA” is conceptually incorrect, even if the underlying logic is nearly identical.
How close the methods actually are
Despite different names, the methods are very similar in content. EN 40000-1-2 defines threats in 6.4.3 via three elements: the affected asset, the compromised security objective and the cause of compromise. ISO/SAE 21434 describes a threat scenario in RQ-15-03 in almost the same words: targeted asset, compromised cybersecurity property, cause of compromise.
The frameworks also converge on risk treatment. EN IEC 62443-4-1 prAA lists in SRM-6 four options: avoidance, reduction through measures, sharing/transfer and acceptance. ISO/SAE 21434 lists in RQ-15-17 the same four: avoiding, reducing, sharing, retaining. EN 40000-1-2 also defines in 6.5 the four options risk avoidance, risk mitigation, risk transfer and risk acceptance.
If you master one method, you already understand the basic logic of the others. Differences lie in level of detail, scales and the required scope and content of the evidence.
Typical stumbling blocks for manufacturers
Example 1: networked machine controller with remote maintenance. It falls under the Machinery Regulation and, as a product with digital elements, under the CRA. If you only perform a “safety risk assessment” and assume it covers both domains, you miss that the safety assessment under EN ISO 12100 does not capture the threat landscape of the remote maintenance interface. For that you need the assessment of cybersecurity risk under the CRA, methodologically supported by EN 40000-1-2.
Example 2: industrial IoT sensor whose development process is set up according to IEC 62443-4-1. If only the threat model according to SR-2 is maintained, the explicit risk evaluation and risk treatment expected by the CRA and the forthcoming 62443 drafts are missing. The threat model alone does not satisfy the obligation to assess cybersecurity risk.
Example 3: linguistic pitfall. “TARA” is increasingly used outside the automotive industry. In documentation and in the conformity evidence for a CRA product, the term required by the applicable framework should be used instead.
Conclusion an umbrella term with clearly defined substeps
Behind risk assessment, risk management, threat model, threat analysis, TARA and cybersecurity risk assessment lies essentially the same risk logic. What matters is to use the right term and to keep safety cleanly separated from security. For product-related security the term “assessment of cybersecurity risk” or “cybersecurity risk assessment” is recommended as an umbrella term, since it follows the terminology of the CRA and EN 40000-1-2 6.4. The threat model remains a substep in threat identification, TARA remains reserved for the automotive world, and the risk assessment under the Machinery Regulation describes the safety-related, not the cybersecurity-related, evaluation.
