Study: Final Push for the Cyber Resilience Act — Nearly Two-Thirds of Companies Still Unaware

The new EU cybersecurity directive brings multiple challenges for companies, including reporting obligations, the creation of Software Bills of Materials, and the shift to “secure by design” products.

ONEKEY IoT & OT Cybersecurity Report 2025: “Time for the final push toward CRA compliance.”

Düsseldorf, September 04, 2025 — The "IoT & OT Cybersecurity Report 2025," published by ONEKEY, a Düsseldorf-based cybersecurity company, reveals that the German economy is not prioritizing the EU Cyber Resilience Act (CRA). The CRA imposes obligations on manufacturers, importers, and distributors of networked devices, machines, and systems. ONEKEY's report came to this conclusion.

"In fall 2026, in about a year's time, the reporting requirements set out in the CRA will take full effect," explained ONEKEY CEO Jan Wendenburg. "A year later, all other obligations will follow. So now we're entering the final stretch. The report shows that there is currently too little evidence of this in the economy.” For the report, 300 German industrial companies were surveyed about their status and plans regarding the security of industrial control systems (operational technology, or OT) and Internet of Things (IoT) devices, which are at the core of the EU Cybersecurity Regulation. The report is available on the ONEKEY website: https://www.onekey.com/resource/iot-ot-cybersecurity-report-2025.
‍‍
The survey shows that fewer than one in three companies (32%) are fully familiar with the EU Cyber Resilience Act requirements, while another 36% have at least begun to review them. More than a quarter (27%), however, have not engaged with the topic at all. This is reflected in the slow pace of implementation: only 14% of respondents have taken extensive measures to ensure compliance for their connected devices, machines, and systems. At least 38% have initiated first steps, while an equal share has yet to take any action, according to the “IoT & OT Cybersecurity Report 2025.”

The CRA Imposes Comprehensive Obligations

Considering the extensive requirements of the EU Cyber Resilience Act, the ONEKEY report describes these obligations as "astonishing." Manufacturers must develop secure products from the outset (security by design) and ensure CRA compliance throughout their products' life cycles. This includes protection against unauthorized access, protection of data integrity and confidentiality, and ensuring the availability of functions. Additionally, manufacturers must report actively exploited vulnerabilities and serious incidents that compromise the security of their products to the European Cybersecurity Authority (ENISA) and the relevant national Computer Security Incident Response Team (CSIRT) within 24 hours.

Providers are required to deliver regular security updates to address known vulnerabilities and safeguard their products. They must also supply comprehensive documentation for all products — including a Software Bill of Materials (SBOM) — to ensure full transparency and traceability of

components. As Jan Wendenburg emphasized: “It is not enough to simply meet these requirements; compliance with the CRA must also be documented and demonstrably proven.”

Challenges in Operational Practice

To better understand the challenges companies face with the Cyber Resilience Act, ONEKEY asked respondents to identify the areas they consider most demanding. Multiple responses were allowed. According to the survey, 37% of companies view the requirement to report security-related incidents within 24 hours as the top challenge. Close behind, 35% cite meeting the “secure by design” and “secure by default” criteria. For 29%, the creation of a Software Bill of Materials (SBOM) poses the greatest difficulty, while a similar share highlight ongoing software vulnerability management as a major concern.

Jan Wendenburg from ONEKEY explained the background: "Many manufacturers of digital devices, machines, and systems have focused primarily on the functionality of their products, paying less attention to their vulnerability to cyberattacks. The Cyber Resilience Act now requires them to treat both aspects as equally important. Some companies are still finding this dual focus challenging." He points out that the new EU regulation covers an "extremely wide range of products." This includes digital toys, smart home devices, payment terminals, charging stations, IP cameras, medical devices, building automation systems, industrial controls, CNC machines, industrial robots, and production facilities with remote maintenance capabilities.

Change in Mindset Among Executives

Jan Wendenburg said, "In many of these market segments, cybersecurity has primarily been about protecting one's own company against attacks rather than protecting products against cyberattacks." He acknowledges that a change in mindset among executives has begun, but he notes that it will naturally take time. At the same time, he emphasizes the far-reaching consequences if companies do not prioritize the Cyber Resilience Act (CRA). "Networked devices, machines, and systems that do not meet CRA requirements will no longer be permitted for sale or operation in the EU. Given development times of two to three years, it is imperative to act with the utmost urgency."

Violations of the EU regulation may result in fines of up to €15 million or 2.5% of a company's annual global turnover, whichever is greater. Additionally, the board of directors, management, and/or other responsible parties may face personal liability.

According to ONEKEY CEO Jan Wendenburg, "The CRA obligations apply not only to manufacturers and distributors of connected digital products, but also to any company that operates such devices. Therefore, a company that uses non-CRA-compliant devices, machines, or systems is also affected.”

The Security Situation Is Alarming, Yet OT Is Being Neglected

In order to protect themselves and their customers from the growing threat of cybercrime and to comply with regulatory requirements, companies must adhere to the CRA. The Federal Office for

Information Security (BSI) and the Federal Criminal Police Office (BKA) anticipate that the threat will continue to escalate in the coming years. In 2024 alone, cybercrime caused an estimated €178.6 billion in total damage in Germany, marking a €30.4 billion increase from the previous year.

Jan Wendenburg said, "Many companies focus on protecting computer systems and networks, but industrial control systems in machines and plants often receive too little attention when it comes to security issues." However, given the digital transformation of industrial processes, cyber threats on the shop floor are steadily increasing. Therefore, factories and logistics centers must apply the same high security standards as data centers.

ONEKEY has developed a platform that supports core Internet of Things (IoT) and operational technology (OT) cybersecurity functions, including vulnerability detection, software bill of materials (SBOM) validation, and regulatory compliance, for companies.