The method for measuring trustworthiness (risk assessments) in software may be need to follow a “common method” similar to how credit reporting agencies in the US work following a defined method to calculate a “trust score”, like the US FICO score for a person, as an example.
All parties will need to apply the same “risk assessment logic/method” in order to produce a consistent means of communicating trustworthiness based on a risk assessment with consistent semantics so that everyone will understand the difference between a risk assessment trust score of 50 and a score of 90.
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Risk always exists, but trust must be earned and awarded.™
https://businesscyberguardian.com/
Email: dick@xxxxxxxxxxxxxxxxxxxxxxxxx
Tel: +1 978-696-1788
From: open-regulatory-compliance <open-regulatory-compliance-bounces@xxxxxxxxxxx> On Behalf Of Daniel Thompson-Yvetot via open-regulatory-compliance
Sent: Thursday, March 6, 2025 11:27 AM
To: Open Regulatory Compliance Working Group <open-regulatory-compliance@xxxxxxxxxxx>
Cc: Daniel Thompson-Yvetot <denjell@xxxxxxxxxxxxxx>
Subject: Re: [open-regulatory-compliance] FYI: The minutes for CRA Expert Group Meeting #1 are now public
I was happy to see the EUCC mentioned, but am also concerned that the various stakeholder opinions diverge in needs for the "risk assessment".
Being clear about the expectations will be essential for any CAB to be able to properly (and neutrally) interpret the risks. In my opinion, the risk assessment must be associated with the four principles the CRA defines:
Availability: Ensuring systems remain operational and accessible when needed
Authenticity: Verifying that data and users are genuine
Integrity: Maintaining data accuracy and preventing unauthorized modifications
Confidentiality: Protecting sensitive information from unauthorized access
Cheers,