Key Takeaways

• Only 32% of German industrial firms are fully aware of the EU Cyber Resilience Act (CRA), with more than a quarter having no engagement.
• The CRA mandates that manufacturers report security vulnerabilities within 24 hours and maintain a “secure by design” approach.
• Failure to comply could result in significant fines and prohibit companies from selling devices in the EU.

A new report from ONEKEY highlights the lag in German industry preparedness for the EU Cyber Resilience Act (CRA). Despite the upcoming implementation of extensive cybersecurity requirements, many companies have not started to prepare adequately. The CRA dictates critical obligations for manufacturers, importers, and distributors regarding networked devices, machines, and systems.

The ONEKEY report indicates that a survey of 300 industrial companies shows fewer than one in three (32%) are fully informed about CRA requirements, while 36% have begun reviewing them. Alarmingly, 27% of respondents have not engaged with the new regulations at all. This lack of awareness is reflected in the limited compliance initiatives undertaken, with only 14% having taken significant action to meet CRA obligations.

Comprehensive Obligations of the CRA

The report describes the CRA obligations as “astonishing,” emphasizing that secure product development and compliance throughout the product lifecycle are essential. Companies must protect against unauthorized access, maintain data integrity, and ensure ongoing operations. They are also tasked with reporting actively exploited vulnerabilities and serious incidents to the European Cybersecurity Authority (ENISA) and relevant national authorities within 24 hours. Regular security updates and comprehensive product documentation, including a software bill of materials (SBOM), are now mandatory.

Implementation Challenges

Respondents identified several challenges regarding CRA compliance. The requirement to report security incidents within 24 hours ranked as the top challenge for 37% of companies, followed closely by the criteria for “secure by design” and “secure by default” (35%). Creating a software bill of materials and managing ongoing software vulnerabilities were also noted as significant hurdles.

Jan Wendenburg, CEO of ONEKEY, remarks that many manufacturers have historically focused on product functionality rather than cybersecurity, complicating the transition to comply with the CRA’s dual-focus requirements. The legislation covers a wide array of products, from digital toys to industrial controls, underscoring the need for a comprehensive reassessment of cybersecurity strategies in manufacturing.

Executive Mindset Transformation

Wendenburg acknowledges a necessary shift in executive mindset towards prioritizing product security, which historically has been about internal protection only. He warns that networked devices not compliant with the CRA will be banned from sale in the EU, a development with significant ramifications considering product development timelines of two to three years. Non-compliance could lead to fines reaching €15 million or 2.5% of annual global turnover, and personal liability for company executives.

Neglected Threats in Operational Technology

As companies strive to protect themselves against increasing cybercrime threats, they often overlook the security of industrial control systems. With an estimated €178.6 billion in damages from cybercrime predicted for 2024, vigilance is crucial. Wendenburg observes that while many firms focus on IT security, there is insufficient attention on OT security, particularly in digital manufacturing and logistics environments.

ONEKEY is addressing these challenges with a platform to enhance IoT and OT cybersecurity, offering functions like vulnerability detection, SBOM validation, and compliance support.

The content above is a summary. For more details, see the source article.