New Study Shows a Training Gap in Business Cyber Defense

ONEKEY IoT & OT Cybersecurity Report 2025: "Barely a third of organizations conduct Cyber Resilience Act training at least once a year."

Düsseldorf, January 15, 2026 — This year, the German economy should place a greater emphasis on cybersecurity training for its workforce. This is the conclusion reached in the latest "IoT & OT Cybersecurity Report 2025" published by the Düsseldorf-based cybersecurity company ONEKEY. Starting this fall, most of the strict reporting requirements for security incidents outlined in the European Union's Cyber Resilience Act will take effect. By fall 2027, manufacturers, distributors, and operators of networked digital devices, machines, and systems must comply with the EU regulation.

In accordance with the CRA, organizations must demonstrate that their products meet basic cybersecurity requirements and do not contain any known vulnerabilities. Additionally, the CRA requires companies to provide regular security updates, promptly address vulnerabilities, and develop a comprehensive software bill of materials (SBOM). Violations can result in heavy fines.

Nevertheless, according to ONEKEY's “IoT & OT Cybersecurity Report 2025,” fewer than one-third (30%) of the 300 companies surveyed for the report hold at least one training session per year on “cyber resilience” for their employees. Another 28 percent consider training on this topic once every one to two years to be sufficient. Nineteen percent answered "rarely or never" to the question about CRA training.

"The low level of training is all the more remarkable given that the threat level remains high," said ONEKEY CEO Jan Wendenburg. He is referring to police crime statistics (PKS), which list over 130,000 cases of cybercrime committed in Germany. The damage caused by cyberattacks is estimated at around 180 billion euros.

Jan Wendenburg warned: “The ongoing increase in digitalization and networking, as well as the use of artificial intelligence by cybercriminals, will further exacerbate the situation.” According to the "IoT & OT Cybersecurity Report 2025," over a third (35%) of surveyed companies have already experienced at least one cybersecurity incident related to noncompliance with CRA requirements. "The CRA's reporting requirements will take effect this fall," said the ONEKEY CEO, underscoring the approaching deadline.

ONEKEY offers a fully automated product and cybersecurity compliance platform. It automates SBOM creation, vulnerability management, and compliance testing, saving companies time, money, and stress.

ONEKEY offers a practical CRA Readiness Assessment workshop for organizations new to the regulation. In introductory sessions, participants learn how the CRA specifically affects their operations and receive an individualized assessment plan tailored to their situation. A detailed process review then evaluates key areas such as software development and vulnerability management. In addition, a gap analysis pinpoints existing compliance shortfalls and outlines practical remediation measures. By the end of the workshop, each company receives a customized roadmap that clearly shows how to implement CRA requirements in a structured and efficient way.

‍