Risk assessment for CE compliance — methodology overview and standards reference

Risk assessment is the foundation of CE marking. Without a documented analysis of the hazards a product presents and the measures mitigating them, the Declaration of Conformity is a signature on an unsupported claim.

This article gives an overview of when risk assessment is required, the canonical methodologies the harmonised standards prescribe (and the standards themselves as the authoritative source), how the risk assessment integrates with the Technical File, and the most common failure modes auditors surface.

When risk assessment is required

The directive obligation is uniform across CE marking even when the wording differs:

The wording varies but the substantive obligation is the same: identify hazards, assess them, mitigate, document residual risks, integrate into the Technical File.

Domain-specific canonical methodologies

Each domain has a canonical harmonised standard that the Official Journal cites for presumption of conformity.

Machinery — EN ISO 12100

EN ISO 12100 — Safety of machinery — General principles for design — Risk assessment and risk reduction. The harmonised standard cited in the Official Journal under the Machinery Regulation 2023/1230 (and the prior Machinery Directive 2006/42/EC). The standard prescribes a three-step iterative procedure covering hazard identification, risk estimation, and risk evaluation against acceptance criteria. Subsequent risk reduction is then applied through inherently safe design, protective measures, and information for use, in that priority order.

For machinery products, consult EN ISO 12100 for the binding methodology. The standard is a paid publication; subscription via your national standards body (DIN in Germany, AFNOR in France, ÚNMS in Slovakia, BSI in the UK).

Medical devices — ISO 14971

ISO 14971 — Medical devices — Application of risk management to medical devices. The harmonised standard under MDR for risk management. The standard prescribes a lifecycle-long risk management process covering risk analysis, evaluation, control, residual risk acceptability, and post-production information. The 2019 version (cited in OJ under MDR) extended the scope from pre-market risk management to full lifecycle coverage.

For medical devices, consult ISO 14971 for the binding methodology. Paid publication; subscription via your national standards body.

Cybersecurity — EN 18031 Annex A

EN 18031 family — the harmonised standard under the RED Delegated Act for cybersecurity (and largely also applicable for satisfying CRA Annex I Part I requirements). Annex A of each part defines an asset-based risk assessment methodology prescribing identification of the product's assets, the threats per asset, the security capabilities required to mitigate them, and the acceptance criteria.

For cybersecurity in scope of RED Delegated Act and CRA, EN 18031 Annex A is the prescribed methodology. See RED Delegated Act + EN 18031 walkthrough.

General cybersecurity (complementary)

Where the directive does not cite EN 18031 specifically, general cybersecurity risk methodologies recognised in EU practice include:

• ISO/IEC 27005 — Information security risk management. ISMS-aligned methodology used by NIS2-covered entities for organisation-level risk
• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments. US framework recognised in EU practice for IT system risk
• STRIDE — Microsoft-originated threat modelling methodology used for software design
• OWASP Risk Rating Methodology — for web-facing components

These are not formally harmonised standards under EU directives but are recognised state-of-the-art and frequently referenced in Technical Files.

Electrical safety — within EN 62368-1 / EN 61010

EN 62368-1 — Audio/video, information and communication technology equipment — Part 1: Safety requirements — incorporates risk-based safety analysis within its hazard-based safety engineering framework. The standard categorises energies as ES1/ES2/ES3 (electrical), PS1/PS2/PS3 (power source), and so on, with prescribed engineering responses per category.

For ITE safety, EN 62368-1 incorporates the risk assessment within its structure rather than requiring a separate document. Consult the standard for binding procedure.

What the risk assessment must demonstrate

Across all methodologies, the documented risk assessment must show:

1. Hazard identification — what hazards the product presents to users, bystanders, networks, other systems
2. Severity estimation — for each hazard, how severe the consequence would be if it materialised
3. Probability estimation — how likely the hazard is to materialise under intended use and foreseeable misuse
4. Risk evaluation against acceptance criteria — whether the unmitigated risk is acceptable; if not, what mitigations are required
5. Risk reduction measures — design choices, protective measures, information for use that reduce risk to acceptable levels
6. Residual risk — what risk remains after mitigations; the manufacturer's acceptance with rationale and any user-disclosed mitigations

The methodologies differ in:

• Severity and probability scales — ISO 14971 uses qualitative bands; EN ISO 12100 uses semi-quantitative scoring; EN 18031 uses asset-based likelihood
• Acceptance criteria — what level of risk is considered acceptable
• Iterative versus linear — EN ISO 12100 prescribes iteration through risk reduction and re-evaluation; ISO 14971 prescribes lifecycle risk management

For each cited methodology, the manufacturer's documented assessment follows the standard's procedure.

Integration with the Technical File

The risk assessment is a discrete section of the Technical File — typically section 3 in the CRA Annex VII structure. It is referenced from:

• Section 1 (product identification) — intended use and foreseeable misuse feed the risk assessment
• Section 4 (harmonised standards) — the cited methodology standard appears in this list
• Section 5 (test reports) — verification that mitigations work as designed
• Section 6 (software-specific evidence under CRA) — cybersecurity risk assessment per EN 18031 Annex A
• Section 8 (post-market surveillance) — feedback loop from field experience back into the risk assessment

The risk assessment is a living document — updated when the product, threat landscape, or regulation changes.

Common risk assessment failure modes

From the Inovasense compliance practice:

• Generic copy-paste risk assessment. A risk assessment generated by template without the manufacturer's specific product context is immediately recognisable to auditors. Hazards must trace to the product's specific function and intended use.
• No documented methodology. The risk assessment exists but the methodology used (which standard, which steps) is not stated. Without a cited methodology, the presumption of conformity does not apply.
• Severity and probability scoring without scale definition. "Severity 3, Probability 2" is meaningless without the table defining what 3 and 2 mean.
• Mitigations not traced to identified risks. The risk assessment identifies hazard X; the design implements mitigation Y; the trace from X to Y is unclear. Auditors expect explicit traceability.
• No residual risk acceptance. Every product has residual risks; the manufacturer's acceptance and the user-disclosed mitigations must be documented.
• Not updated after material product change. A risk assessment from product launch, never revised through five firmware releases, no longer matches the product on the market.
• Single-domain risk assessment for multi-directive product. A connected machine needs Machinery Regulation risk assessment AND CRA Article 13 cybersecurity risk assessment AND Low Voltage Directive electrical safety analysis — typically as integrated but distinguishable subsections.

How Cenitia helps

Cenitia identifies the applicable directives for your product and the canonical risk assessment methodology each cites. The template structure for each domain is pre-populated — hazard categories typical for the product type, severity and probability scale templates, residual risk format. The substantive content is filled by the manufacturer's engineering team against the cited harmonised standard.

For products needing specialist risk assessment review — Machinery Annex IV listed equipment, MDR Class IIb+, CRA Annex IV critical products — our parent company Inovasense provides consulting.

Frequently asked questions

Is a risk assessment legally required for CE marking?

Yes, for every product subject to a directive that mandates conformity to essential requirements. The directive does not always use the words 'risk assessment' but the obligation is operative: the manufacturer must demonstrate that the product meets the essential requirements proportional to its intended use and foreseeable misuse. CRA Article 13(2) makes this explicit for products with digital elements; the Machinery Regulation 2023/1230 Annex III makes it explicit for machinery; MDR Annex I makes it explicit for medical devices.

Which methodology should I use?

Use the harmonised standard cited in the Official Journal for your directive. EN ISO 12100 is the canonical methodology for machinery risk assessment. ISO 14971 is the canonical methodology for medical device risk management. EN 18031 Annex A provides the asset-based methodology for cybersecurity under RED Delegated Act and CRA. STRIDE, ISO/IEC 27005, and NIST SP 800-30 are recognised methodologies for general cybersecurity risk that complement the standards. For products subject to multiple directives, run distinct risk assessments per domain and integrate them in the Technical File.

What does the risk assessment have to demonstrate?

That the manufacturer has identified the hazards a reasonable user would encounter, assessed their severity and probability, applied measures to reduce risks to an acceptable level, and documented the residual risks the user accepts. The 'acceptable level' is determined by the harmonised standard and the state of the art; in practice it is what an industry-experienced auditor would consider proportionate to the intended use. The risk assessment is part of the Technical File and is inspected by market surveillance authorities and Notified Bodies.

Does Cenitia replace the risk assessment standard methodology?

No. Cenitia generates the risk assessment template, identifies which standard methodology applies for each directive in scope of the product, and pre-populates the hazard categories typical for the product type. The substantive content — which hazards your specific product presents, which severities you accept, which mitigations you apply — is engineering work that must be performed against the cited harmonised standard. For methodologies behind subscription harmonised standards (EN ISO 12100, ISO 14971), consult the standard text for binding procedure.

How often does the risk assessment need to be updated?

When the product is materially modified, when a cited regulation amends, when a cited harmonised standard is updated, or when post-market evidence (incident reports, near-misses, customer feedback) reveals previously unidentified hazards. Most manufacturers also schedule annual review independently of triggers, as a matter of QMS discipline. The Technical File version-controls the risk assessment alongside the firmware and DoC.

Can I use machine learning or AI tools to generate the risk assessment?

AI tools can scaffold the structure, suggest hazard categories, and produce drafting in the standard's voice. They cannot replace the substantive engineering judgement about which hazards apply to your specific product, which severities are accepted, and which mitigations are implemented. For products under the AI Act (Regulation 2024/1689) the AI tool itself becomes part of the conformity scope if it operates in the product. Use AI to accelerate the documentation, not to substitute the engineering work.

Related from the Library

• Technical File 101 — where the risk assessment lives
• CRA Annex I explained — the essential requirements that risk assessment is proportional to
• RED Delegated Act + EN 18031 walkthrough — the EN 18031 cybersecurity methodology
• Technical File for IoT devices template — the section 3 detail for IoT

Further reading

• Cyber Resilience Act Article 13 — risk assessment obligation
• Machinery Regulation 2023/1230 Annex III — machinery risk assessment obligation
• Medical Device Regulation Annex I — MDR safety and performance requirements
• EN ISO 12100 — machinery risk assessment standard (paid publication)
• ISO 14971 — medical device risk management standard (paid publication)
• EN 18031 family at CEN-CENELEC — cybersecurity risk methodology under RED Delegated Act
• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
• ISO/IEC 27005 — information security risk management (paid publication)

Last reviewed: 30 June 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.