ONEKEY Launches “CRA Fast Start” to Help Manufacturers Prepare for EU Cyber Resilience Act

Program targets manufacturers of connected digital devices, machines, and systems facing new regulatory requirements under the Cyber Resilience Act

Düsseldorf, February 19, 2026 — The Düsseldorf-based product cybersecurity company ONEKEY has introduced a program called "CRA Fast Start" that allows manufacturers of networked devices, machines, and systems to efficiently and systematically verify their products' compliance with the new EU security standard, the Cyber Resilience Act (CRA). According to estimates, the cybersecurity directive affects hundreds of millions, if not billions, of digital products in the EU. After the transition periods have expired, products will only be permitted to be placed on the market if manufacturers can demonstrate continuous vulnerability management, documented security processes, and ongoing monitoring of their software and firmware components throughout the entire product life cycle. ONEKEY's “CRA Fast Start” is accordingly based on three pillars: CRA Readiness Assessment, systematic vulnerability management, and continuous monitoring.

The program is designed for organizations at different stages of Cyber Resilience Act Readiness. For manufacturers approaching the CRA for the first time, the assessment provides structured guidance and an initial orientation. Companies already familiar with the regulation and seeking faster implementation can move directly into vulnerability management and continuous firmware monitoring. Additionally, a compliance check and a ONEKEY Compliance Wizard support the initial CRA compliance review. The ONEKEY Compliance Wizard is continuously developed and adapted to future regulatory requirements and expected harmonized standards.

"With CRA Fast Start, we enable manufacturers to systematically and quickly implement the required CRA compliance," said Jan Wendenburg, ONEKEY's CEO, explaining the new offering.

First Step: Assessing CRA Readiness

A key component of the new program is an initial, structured CRA Readiness Assessment. This assessment involves analyzing a company's current level of maturity in relation to CRA requirements. In addition to product requirements, the assessment examines processes for addressing vulnerabilities, software bills of materials (SBOMs) documentation, and organizational responsibilities, among other things. Based on the results, compliance gaps can be identified and prioritized action steps can be defined. ONEKEY particularly recommends this assessment to companies that are unsure of the extent to which they are affected by the CRA and what they need to do.

For organizations ready to move forward, continuous vulnerability management combined with ongoing firmware monitoring enables early detection of new risks while maintaining full visibility into

the software supply chain through SBOM transparency. Newly discovered vulnerabilities, affected libraries, and security-relevant changes are continuously tracked, creating lasting transparency into the security posture of digital products. This approach not only supports CRA compliance but also strengthens internal governance and risk management processes. The program is delivered through the ONEKEY Product Cybersecurity & Compliance Platform.

"Our platform, coupled with the CRA Readiness Assessment, combines our expertise in consulting with the ONEKEY platform's comprehensive analytical power. This new program addresses the urgent need for short-term action by introducing a long-term strategy to achieve compliance," Jan Wendenburg explains. He clarifies, "Ultimately, manufacturers must not only meet mandatory legal requirements but also make their product range truly resilient to cyberattacks. After all, any vulnerability that is exploited poses legal and reputational risks.”

Urgency Is Required

The CRA requires manufacturers to systematically identify, assess, and remedy vulnerabilities throughout the entire product lifecycle, among other things. ONEKEY meets this requirement by using a continuous vulnerability management approach that automatically analyzes software and firmware components and identifies known security gaps. This creates a robust database for assessing risks in a traceable manner and fulfilling regulatory documentation requirements.

There is no time to waste. Starting in 2026, the Cyber Resilience Act stipulates that actively exploited vulnerabilities must be reported to national authorities within 24 hours. Starting in 2027, all affected products must meet the full security requirements, including documented vulnerability management processes. Companies that fail to meet these deadlines risk fines of up to €15 million or 2.5 percent of their global annual turnover.