A report published by ONEKEY, a Germany-based cybersecurity company, has revealed that the German economy is not prioritising the EU Cyber Resilience Act (CRA). The CRA imposes obligations on manufacturers, importers, and distributors of networked devices, machines, and systems.
“In fall 2026, in about a year’s time, the reporting requirements set out in the CRA will take full effect,” said Jan Wendenburg, CEO, ONEKEY. “A year later, all other obligations will follow. So now we’re entering the final stretch. The report shows that there is currently too little evidence of this in the economy.”
As part of the report, ‘IoT & OT Cybersecurity Report 2025’, 300 German industrial companies were surveyed about their status and plans regarding the security of industrial control systems (operational technology, or OT) and Internet of Things (IoT) devices, which are at the core of the EU Cybersecurity Regulation Act.
The survey shows that fewer than one in three companies (32%) are fully familiar with the EU CRA requirements, while another 36% have at least begun to review them. More than a quarter (27%), however, have not engaged with the topic at all. This is reflected in the slow pace of implementation: only 14% of respondents have taken extensive measures to ensure compliance for their connected devices, machines, and systems. At least 38% have initiated first steps, while an equal share has yet to take any action, according to the “IoT & OT Cybersecurity Report 2025.”
The CRA imposes comprehensive obligations
Considering the extensive requirements of the EU Cyber Resilience Act, the ONEKEY report describes these obligations as “astonishing”. Manufacturers must develop secure products from the outset (security by design) and ensure CRA compliance throughout their products’ life cycles. This includes protection against unauthorised access, protection of data integrity and confidentiality, and ensuring the availability of functions.
In addition, manufacturers must report actively exploited vulnerabilities and serious incidents that compromise the security of their products to the European Cybersecurity Authority (ENISA) and the relevant national Computer Security Incident Response Team (CSIRT) within 24 hours.
Providers are required to deliver regular security updates to address known vulnerabilities and safeguard their products. They must also supply comprehensive documentation for all products — including a Software Bill of Materials (SBOM) — to ensure full transparency and traceability of components.
As Jan Wendenburg stressed: “It is not enough to simply meet these requirements; compliance with the CRA must also be documented and demonstrably proven.”
Challenges in operational practice
To better understand the challenges companies face with the Cyber Resilience Act, ONEKEY asked respondents to identify the areas they consider most demanding. Multiple responses were allowed. According to the survey, 37% of companies view the requirement to report security-related incidents within 24 hours as the top challenge. Following close behind, 35% cite meeting the “secure by design” and “secure by default” criteria. For 29%, the creation of a Software Bill of Materials (SBOM) poses the greatest difficulty, while a similar share highlights ongoing software vulnerability management as a major concern.
“Many manufacturers of digital devices, machines, and systems have focused primarily on the functionality of their products, paying less attention to their vulnerability to cyber attacks,” said Wendenburg. “The Cyber Resilience Act now requires them to treat both aspects as equally important. Some companies are still finding this dual focus challenging.”
He pointed out that the new EU regulation covers an “extremely wide range of products.” This includes digital toys, smart home devices, payment terminals, charging stations, IP cameras, medical devices, building automation systems, industrial controls, CNC machines, industrial robots, and production facilities with remote maintenance capabilities.
Change in mindset among executives
“In many of these market segments, cybersecurity has primarily been about protecting one’s own company against attacks rather than protecting products against cyberattacks,” said Wendenburg.
He acknowledged that a change in mindset among executives has begun, but he noted that it will naturally take time. At the same time, he emphasised the far-reaching consequences if companies do not prioritise the CRA.
“Networked devices, machines, and systems that do not meet CRA requirements will no longer be permitted for sale or operation in the EU. Given development times of two to three years, it is imperative to act with the utmost urgency.”
Violations of the EU regulation may result in fines of up to €15 million or 2.5% of a company’s annual global turnover, whichever is greater. Additionally, the board of directors, management, and/or other responsible parties may face personal liability.
The security situation is alarming, yet OT is being neglected
In order to protect themselves and their customers from the growing threat of cybercrime and to comply with regulatory requirements, companies must adhere to the CRA. The Federal Office for Information Security (BSI) and the Federal Criminal Police Office (BKA) anticipate that the threat will continue to escalate in the coming years. In 2024 alone, cyber crime caused an estimated €178.6 billion in total damage in Germany, marking a €30.4 billion increase from the previous year.
“Many companies focus on protecting computer systems and networks, but industrial control systems in machines and plants often receive too little attention when it comes to security issues,” said Wendenburg.
However, given the digital transformation of industrial processes, cyber threats on the shop floor are steadily increasing. Therefore, factories and logistics centres must apply the same high security standards as data centres.
The report is available for download here.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.