Cybersecurity Report: Software Bills of Materials Are Key to Digital Resilience

Although software bills of materials (SBOMs) are not yet widely used by companies, they will soon become standard thanks to the Cyber Resilience Act (CRA). ONEKEY IoT & OT Cybersecurity Report 2025: Many companies are still in the early stages and could strengthen their cyber resilience by using SBOMs.

Düsseldorf, September 11, 2025 — As more and more devices connect to the internet — from smart homes to Industry 4.0 — the potential for cyberattacks grows. Therefore, updating and securing software is crucial to ensuring that digital systems can withstand cyberattacks. According to ONEKEY's latest "IoT & OT Cybersecurity Report 2025," only 12 percent of German industries have a complete overview of the programs used in their devices, machines, and systems. ONEKEY is a Düsseldorf-based cybersecurity company. A Software Bill of Materials (SBOM) provides this overview. It is a list of all the components contained in the software. "OT" stands for "operational technology," which includes industrial control systems. "IoT" stands for "Internet of Things" and refers to networked devices ranging from digital children's toys to medical equipment in hospitals.

Survey of 300 Industrial Companies

For its latest security report, available online at https://www.onekey.com/resource/iot-ot-cybersecurity-report-2025, ONEKEY surveyed 300 German industrial companies regarding OT and IoT security. Forty-four percent confirmed that they are addressing the issue of SBOM. Just under a third (32%) have created an SBOM for some of their networked devices, machines, and systems. However, only 12% have done so for all affected products and systems. Twenty-five percent do not have an SBOM for any of their digital devices. Another 25 percent said they were uncertain about the SBOM issue.

"The result is surprising, as the Cyber Resilience Act (CRA) will require a software bill of materials for all products with digital elements by 2027 at the latest," said Jan Wendenburg, CEO of ONEKEY. He clarified: “This is an EU regulation, not just a directive. This means that this cybersecurity standard will become legally effective immediately in accordance with EU timelines, without requiring national implementation. Therefore, there will be no delay due to the implementation of the CRA in Germany, as is the case with the NIS2 cybersecurity standard."

Noteworthy: The companies surveyed do not consider creating a software bill of materials (SBOM) to be the biggest challenge in meeting CRA requirements. Only 29 percent consider creating an SBOM particularly difficult. By comparison, 37 percent consider the obligation to report security incidents to the relevant authorities within 24 hours to be the CRA's biggest challenge. According to ONEKEY, this underestimation of the SBOM effort will prove to be an extraordinary challenge in connection with CRA compliance."

Many Hurdles on the Way to a Complete SBOM

"In an industrial environment, obtaining an up-to-date and complete software bill of materials is anything but easy," explained ONEKEY CEO Jan Wendenburg. Given the wide range of devices, machines, and systems, compiling the relevant information is a huge task for many companies. Additionally, many machines and their control systems are based on outdated and proprietary components, which makes achieving complete transparency nearly impossible. Complex supply chains and a lack of understanding among suppliers outside the European Union of EU-specific regulations further complicate matters.

The Cyber Resilience Act will require all manufacturers supplying connected products to the EU to provide an SBOM as part of their technical documentation. This SBOM must contain detailed information about the various software components. However, many suppliers would have difficulty compiling a complete SBOM because their upstream suppliers would not provide them with complete information. Jan Wendenburg explained: "Overall, the CRA requires detailed documentation of all programs, libraries, and components, including exact version numbers, license information, author details, and an overview."

It is an Ongoing Challenge Rather Than a One-Time Effort

According to the Düsseldorf-based security company that operates a platform for automatically generating SBOMs, creating an SBOM is not a one-time effort. Rather, the software bill of materials must be kept up to date on an ongoing basis. ONEKEY reports that the German Federal Office for Information Security (BSI) recorded an average of more than 2,000 software product vulnerabilities per month, 15 percent of which the office classified as "critical."

"With around 70 new potential gateways for hackers every day, it is particularly important for all manufacturers to keep track of things," Jan Wendenburg said. "The key challenge for manufacturers is to regularly check whether their products are affected by new vulnerabilities, so they can react quickly and proactively if necessary. This is exactly where the Cyber Resilience Act comes in. With the CRA, product cybersecurity is important not only on the day a product is delivered but also throughout the entire product life cycle. Those who create transparency about potential security gaps can act confidently and in compliance with the law in an emergency."