There is no shortcut to CRA compliance.

The Cyber Resilience Act requires manufacturers to make risk-based decisions during product design and development.
But before cybersecurity risks can be assessed, they first need to be identified.

An experienced security professional will typically identify more threats and risks than a beginner.
The number depends heavily on a person's security mindset, creativity, and years of experience.
An experience that is far too expensive.

Once risks have been identified, they must be translated into security requirements.
And requirements often result in additional implementation effort and costs.
Costs that most people want to avoid.

As a consequence, some manufacturers may be tempted to identify as few risks as possible.
Or even hide already known risks.
The idea is simple:
After all, what is not documented cannot be verified by market surveillance authorities.

But here is what many people seem to overlook:
The CRA already defines a set of essential cybersecurity requirements that must be taken into account — regardless of the outcome of your own risk assessment.
They are intentionally broad and generic so that they cover almost all cybersecurity risks.

Manufacturers are required to document whether these requirements are applicable and how they are implemented.
And where certain requirements are considered not applicable, manufacturers must provide a clear justification.

Of course, even experienced people may overlook critical threats and risks.
We all make mistakes and nobody is perfect.
But intentionally omitting known cybersecurity risks is not a mistake.

Deliberately omitting known cybersecurity risks is not a shortcut to compliance.
It's not just non-compliant;
It undermines the entire purpose of the regulation and puts users and your reputation at risk.
You may hide known risks.
But it does not remove them from your product.