Why Risk Assessment Falls Short in Cybersecurity
While new regulations like the Cyber Resilience Act (CRA) and the AI Act make risk assessment a legal requirement, they often put manufacturers in a difficult spot.
The problem is that many security risks come from things a manufacturer can’t control, like the underlying operating system. This creates a “no-win” situation:
Ignore the risk and hope for the best.
Kill the product because the external flaw can’t be fixed.
Since we can never reach “zero risk,” we need a mindset shift. Instead of just checking boxes on a risk assessment, we should focus on active problem-solving—identifying the threats we actually have the power to mitigate.
The Compliance Trap: Why Traditional Risk Assessment Falls Short in Modern Cybersecurity.
New regulations like the Cyber Resilience Act (CRA) and the AI Act are changing the rules. They now require deep risk assessments as the “price of entry” for product compliance.
While the goal is to make tech more secure, this “safety-first” mindset has a major flaw: it doesn’t account for how the modern world actually works. For manufacturers operating in a complex, interconnected web of software and hardware, a rigid focus on traditional risk assessment isn’t just difficult—it’s a systemic weakness. Instead of making products safer, it often leaves companies buried in paperwork for risks they didn’t create and can’t easily control.
The Control Gap: A Manufacturer’s Reality
The fundamental flaw in mandatory risk assessment is a lack of control. A massive chunk of a product’s security risk doesn’t come from the manufacturer at all—it comes from “external dependencies” they didn’t build.
Take a smart device manufacturer, for example. Their product’s safety is only as strong as its operating system (like Linux, Android, or Windows). If a major vulnerability is found deep in that OS or a common third-party library, the manufacturer is instantly exposed to a threat they didn’t create and cannot directly fix.
This puts manufacturers in an impossible “no-win” situation:
Option A: Ignore the Risk. They keep shipping the product while knowing a critical flaw exists. This leaves users vulnerable and the company buried in legal liability—defeating the entire purpose of the law.
Option B: Kill the Product. They pull a successful product from the shelves or stop production entirely because of a bug in someone else’s code. This is a business death sentence and a total roadblock for innovation.
A Necessary Shift: From Paperwork to Problem-Solving
In engineering, “zero risk” doesn’t exist. You can only reduce or manage it. Because of this, we need to recalibrate how we look at regulation. Simply listing every possible threat on a piece of paper—which is what most assessments do—doesn’t actually make a product safer if those threats aren’t fixed.
We need to move past the “box-ticking” exercise of risk assessment and move toward active problem-solving.
This means building a strategy that is:
Action-Oriented: The goal isn’t a perfect spreadsheet of risks; it’s a more resilient product.
Prioritized: We should focus our energy on the risks we can actually control or find workarounds for.
Solution-Focused: Instead of just cataloging flaws, we should implement “defense-in-depth” strategies—like secure coding and fast patching—that protect the product even when an external component (like the OS) fails.
The Bottom Line: Risk assessment is a vital starting point for compliance, but it isn’t the finish line. Real cybersecurity isn’t about cataloging a vast landscape of problems we can’t solve; it’s about actively fixing the ones we can.