The new EU cybersecurity directive brings multiple challenges for companies, including reporting obligations, the creation of Software Bills of Materials, and the shift to “secure by design” products. Yet the IoT & OT Cybersecurity Report 2025,” published by ONEKEY, reveals the German economy is not prioritising the EU Cyber Resilience Act (CRA).
The CRA imposes obligations on manufacturers, importers, and distributors of networked devices, machines, and systems. The report states in conclusion, “In about a year’s time, the reporting requirements set out in the CRA will take full effect.” ONEKEY CEO, Jan Wendenburg, says, “We’re entering the final stretch. The report shows that there is currently too little evidence of this in the economy.”
Three hundred German industrial companies were surveyed for the report, with questions about companies’ plans regarding the security of industrial control systems (typically operational technology, or OT) and IoT, which are the focus of the EU Cybersecurity Regulation.
The survey found that fewer than one in three companies (32%) are fully familiar with the EU Cyber Resilience Act requirements, while another 36% have at least begun to review them. More than a quarter (27%), however, have not engaged with the topic at all. This is reflected in the slow pace of implementation, with only 14% of respondents having taken extensive measures to ensure compliance for their connected devices, machines, and systems. At least 38% have initiated first steps, while an equal share has yet to take any action, the report reveals.
The CRA imposes comprehensive obligations
Considering the extensive requirements of the EU Cyber Resilience Act, the ONEKEY report describes these obligations as “astonishing.” The report’s authors feel that manufacturers should develop secure products from the outset (security by design) and ensure CRA compliance throughout their products’ life cycles. That includes protection against unauthorised access, protection of data integrity and confidentiality, and ensuring ongoing operations. Manufacturers now have to report actively exploited vulnerabilities and serious incidents that compromise the security of their products to the European Cybersecurity Authority (ENISA), and the relevant national Computer Security Incident Response Team (CSIRT), within 24 hours.
Providers are required to deliver regular security updates to address known vulnerabilities and safeguard their products. They must also supply comprehensive documentation for all products – including a software bill of materials (SBOM) – to ensure full transparency and traceability of components. As Jan Wendenburg said, “It is not enough to simply meet these requirements; compliance with the CRA must also be documented and demonstrably proven.”
Challenges in operational practice
To better understand the challenges companies face with Cyber Resilience Act compliance, ONEKEY asked respondents to identify the areas they consider most demanding. According to the survey, 37% of companies view the requirement to report security-related incidents in 24 hours as the top challenge. Close behind, 35% cite meeting the “secure by design” and “secure by default” criteria. For 29%, the creation of a software bill of materials (SBOM) poses the greatest difficulty, while a similar share highlights ongoing software vulnerability management as a major concern.
Jan Wendenburg from ONEKEY explained the background to the issues. “Many manufacturers of digital devices, machines, and systems have focused primarily on the functionality of their products, paying less attention to their vulnerability to cyberattacks. The Cyber Resilience Act now requires them to treat both aspects as equally important. Some companies are still finding this dual focus challenging.”
He said that the new EU regulation covers an “extremely wide range of products,” which includes a range of hardware that includes, but is not limited to, digital toys, smart home devices, payment terminals, charging stations, IP cameras, medical devices, building automation systems, industrial controls, CNC machines, industrial robots, and production facilities with remote maintenance capabilities.
Change in mindset of executives
Wendenburg said, “In many of these market segments, cybersecurity has primarily been about protecting one’s own company against attacks rather than protecting products against cyberattacks.” He acknowledges that a change in mindset among executives has begun, but notes that change will, naturally, take time. He pointed out the potentially far-reaching consequences if companies do not prioritise the Cyber Resilience Act (CRA). “Networked devices, machines, and systems that do not meet CRA requirements will no longer be permitted for sale or operation in the EU. Given development times of two to three years, it is imperative to act with the utmost urgency.”
Violations of the EU regulation may result in fines of up to €15 million or 2.5% of a company’s annual global turnover, whichever is greater. Boards of directors, management, and/or other responsible parties may also face personal liability.
The security situation is alarming, yet OT is neglected
To protect themselves and their customers from the growing threat of cybercrime and to comply with regulatory requirements, companies must adhere to the CRA. The Federal Office for Information Security (BSI) and the Federal Criminal Police Office (BKA) anticipate that the threat will continue to escalate in the coming years. In 2024 alone, cybercrime caused an estimated €178.6 billion in total damage in Germany, marking a €30.4 billion increase from the previous year.
“Many companies focus on protecting computer systems and networks, but industrial control systems in machines and plants often receive too little attention when it comes to security issues,” Wendenburg said. However, given the transformation of industrial processes, cyber threats on the shop floor are increasing. Factories and logistics centres should apply the same high security standards as data centres.
ONEKEY has developed a platform that supports core internet of things (IoT) and operational technology (OT) cybersecurity functions, including vulnerability detection, software bill of materials (SBOM) validation, and regulatory compliance, for companies.
Author: Jan Wendenburg, CEO, ONEKEY
