The QuBA-libre risk assessment method developed by the Fraunhofer Institute for Applied and Integrated Security AISEC in collaboration with SICK AG quickly and easily evaluates product cybersecurity. It is now available as an open source tool on GitHub. The questionnaire-based assessment enables the efficient determination of product risk status with standardized protection requirements without overloading resources. Automated risk assessment, suggestions for corrective measures, documentation and assignment to the requirements of the Cyber Resilience Act (CRA) reduce the complexity of risk assessment and handling. QuBA-libre enables the integration of protective mechanisms, both in the concept and design phase for new products and in risk assessment and upgrades of existing products. Fraunhofer AISEC thus supports product manufacturers in ensuring cybersecurity as a quality feature of their products and in implementing the cybersecurity requirements of the CRA.

Garching near Munich, December 2, 2025 – The European Cyber Resilience Act (CRA) is an EU regulation passed in 2024 stipulating basic cybersecurity requirements for products with digital elements and networked hardware and software products. The purpose is to improve cybersecurity in the domestic market and to establish transparency regarding the security level of these products.

Manufacturers and distributors must ensure security throughout the entire product life cycle and must ensure the conformity of newly introduced products by November 2027. The requirements explicitly include proof of risk analyses, prevention of attack surfaces and early integration of protective mechanisms in concepts and designs.

Complex risk analyses enable highly accurate statements regarding cybersecurity status, but also place a significant demand on time and financial resources. The QuBA-libre open source tool uses a questionnaire-based evaluation and handles simple mass-produced products with significantly less effort. This bridges the gap between highly complex risk analyses for specialized, critical individual components and products with a homogeneous security structure that do without subdivisions such as security zones. 

Just a few steps to identify risks, implement security measures and ensure product compliance with CRA regulations.  

The open-source tool developed and implemented by Fraunhofer AISEC in collaboration with SICK AG is based on a structured questionnaire. The questions cover topics such as estimating effects on confidentiality, integrity, and availability as well as the attack surface of the object in question. An automated risk assessment is generated based on the responses and a stored knowledge base.

This assessment process entails the following steps:

• Developers and security experts answer the questionnaire with questions about the impact rating and the requisite attack potential.
• The tool uses existing risk catalogs to generate an automated risk assessment based on the answers provided.
• Appropriate countermeasures are automatically suggested to mitigate identified risks.
• Developers and security experts manage risk by assigning proposed assumptions and countermeasures to the attack steps identified in the risk assessment.
• IT security specialists perform a risk assessment for the remaining risks.
• The tool automatically generates documentation summarizing the results and assigning them to the CRA requirements.

“QuBA-libre enables a quick and comprehensive analysis of the cybersecurity of a simple product. It forms the basis for customized security that starts already in the product concept and design stage, obviating the need for costly security measures later on,” explains Bartol Filipovic, Head of the Product Protection & Industrial Security department at Fraunhofer AISEC.

In accordance with CRA specifications, a risk assessment at the start of product development helps to systematically identify security gaps at an early stage and to avoid attack surfaces. QuBA-libre's automatic assignment of the risk assessment to the CRA requirements shows where action is still needed. In contrast, if all requirements are met, the documentation serves as proof that the product is CRA-compliant and is therefore secure. 

Fraunhofer AISEC expertise in risk assessment 

The risk assessment of products is based on extensive catalogs of risk scenarios and attack methods as well as catalogs of measures in accordance with IEC 62443-4-2. This cybersecurity standard defines technical security requirements for components of industrial automation and control systems (IACS).

QuBA-libre was based on the Modular Risk Assessment (MoRA) developed by Fraunhofer AISEC. This method provides a comprehensive overview of risk analyses for complex networked IT systems and has been used successfully by industrial partners for many years. QuBA-libre draws on the basic principles of MoRA—but optimized and focused on individual IT products such as sensors or edge devices.

Fraunhofer AISEC supports companies in adapting the analysis to their needs with QuBA-libre. The generic risk assessment catalogs are supplemented with additional entries specific to the company. The focus is on specific risk factors that are actually present and on assessing and implementing individual protective measures.
 

Further information:

• QuBA-libre on GitHub
• SICK AG press release on QuBA-libre
• Fraunhofer AISEC web spotlight on the Cyber Resilience Act