European manufacturers are struggling to determine who should be accountable for meeting the EU’s new Cyber Resilience Act (CRA), according to new research from German cybersecurity firm ONEKEY.
The regulation, which requires connected products to be designed and maintained to resist cyberattacks, is proving difficult to implement across industrial sectors, with responsibilities often fragmented between IT, compliance, legal, and product development teams.
ONEKEY’s 2025 IoT & OT Cybersecurity Report — based on a survey of 300 organisations — found that IT security departments bear primary responsibility for CRA compliance in 46% of companies, followed by compliance (21%), top management (18%), legal (16%), and product development (15%).
“The responsibilities need to be more clearly defined and consolidated,” said Jan Wendenburg, Chief Executive of ONEKEY. “The wide range of stakeholders involved reflects the Act’s broad scope, covering everything from product design and software development to vulnerability management and reporting obligations.”
Under the CRA, manufacturers of connected devices must apply “security by design” principles, maintain cybersecurity throughout a product’s lifecycle, and report any major vulnerabilities to the European Union Agency for Cybersecurity (ENISA) and national incident response teams within 24 hours. Companies that fail to comply face fines of up to €15 million or 2.5% of global turnover, whichever is higher.
Despite software playing a critical role in compliance, heads of software development are responsible for CRA implementation in only 8% of companies surveyed. This is notable given that the Act requires manufacturers to provide a detailed Software Bill of Materials (SBOM) listing every software component and known vulnerability — a task Wendenburg described as “the weakest link in the compliance chain”.
“The CRA demands a precise inventory of all components, libraries, and dependencies,” he said. “Without automation, keeping pace with more than 2,000 new software vulnerabilities a month is practically impossible.”
More than 40% of organisations have established dedicated structures to manage CRA compliance, according to ONEKEY’s report. Around 28% have created cross-departmental working groups, while 13% have formed dedicated CRA teams. However, nearly one-third of companies still lack any formal structure for handling compliance.
Wendenburg said the findings highlight both the complexity of the new regulatory environment and the growing need for cross-functional collaboration. “Cybersecurity isn’t about ticking boxes,” he said. “It’s about protecting companies from increasingly sophisticated attacks with potentially dramatic consequences.”
To help firms navigate the new regulation, ONEKEY has launched a fully automated Product & Cybersecurity Compliance Platform that assists with SBOM creation, vulnerability management, and CRA verification. The company also offers a “CRA Readiness Assessment Workshop” to help organisations identify compliance gaps and develop implementation roadmaps.
ONEKEY, based in Düsseldorf and part of PricewaterhouseCoopers Germany’s investment portfolio, specialises in product cybersecurity and compliance management. Its technology uses artificial intelligence to analyse firmware, generate SBOMs, and monitor product security post-release.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
