No PP, No Problem: Building ASE_SPD from Risk Management (B12b)
CRA requires developers to perform and document a productspecific risk assessment. ENISA has indicated that ASE_SPD can serve as a simplified way to express the outcome of such an assessment. For Protection Profiles (PPs), the ASE_SPD already reflects the risk analysis performed by the PP authors. However, for Security Targets (STs) that do not claim conformance to any PP, the connection between the product’s Risk Management process and the resulting ASE_SPD is often unclear or missing. This talk introduces a method to explicitly link Risk Management activities with the ASE_SPD, enabling a coherent bridge between CRA compliance obligations and EUCC certification requirements.