News from the Wire

Cybersecurity: Clear lines of responsibility needed

Friday, November 14, 2025 — 17:34:34 (UTC)

ONEKEY IoT & OT Cybersecurity Report 2025: The Cyber Resilience Act (CRA) poses new challenges for organizations, particularly when it comes to defining responsibilities across departments and functions.

Düsseldorf, 13 November 2025 – The EU Cyber Resilience Act (CRA) requires industry players to take extensive measures starting this year to ensure the secure development and monitoring of products that can withstand hacker attacks. However, the question of who is responsible for complying with this EU regulation to strengthen product cybersecurity remains largely unresolved across the industrial sector. This is one of the findings of the latest IoT & OT Cybersecurity Report by Düsseldorf-based cybersecurity company ONEKEY. For the study, 300 organizations were surveyed about their CRA strategies for Operational Technology (OT), such as industrial control systems, and the Internet of Things (IoT), from smart buildings to industrial robots.

CRA Covers a Broad Range of Topics

According to the survey, the main responsibility for meeting CRA requirements lies with IT security in 46 percent of companies. In just over one-fifth (21 percent), the compliance department holds primary responsibility. In 18 percent of cases, top management is in charge, followed by the legal department in 16 percent, and product development in 15 percent of the organizations surveyed. “The responsibilities need to be more clearly defined and consolidated,” said Jan Wendenburg, CEO of ONEKEY, analyzing the results. “The wide range of CRA stakeholders within the industry reflects the fact that the regulation itself covers a broad spectrum of topics,” he explained.

Manufacturers of connected products must now design their devices, machines, and systems to be secure from the ground up (security by design) and ensure that they continue to meet CRA requirements throughout their entire lifecycle. “This is clearly an area where engineering and product development play a central role,” said Jan Wendenburg, CEO of ONEKEY. In addition, vendors are required to report any actively exploited vulnerabilities and serious incidents affecting the security of their products within 24 hours to the European Union Agency for Cybersecurity (ENISA) and the relevant national Computer Security Incident Response Team (CSIRT). “That responsibility typically falls to the IT security department,” explained Jan Wendenburg.

Suppliers are also obligated to provide regular security updates to fix known vulnerabilities and maintain product safety. Equally important is maintaining comprehensive documentation for all products, including a Software Bill of Materials (SBOM), which ensures full transparency and traceability of all software components used. “These tasks usually fall under the remit of development and production,” said Jan Wendenburg.

However, the related documentation proving compliance with CRA requirements is primarily the responsibility of product management, working closely with the compliance department, he added. Violations of the EU regulation can result in fines of up to €15 million or 2.5 percent of global annual turnover, whichever is higher—making this a critical issue for corporate legal teams. Finally, the risk of personal liability for executives and board members should not be underestimated, which explains why top management is increasingly becoming directly involved in the practical implementation of the Cyber Resilience Act.

Jan Wendenburg emphasized: “The Cyber Resilience Act is truly cross-departmental and cross-functional, which means responsibility within organizations is not immediately clear. What may first appear to be confusion over accountability is, on closer inspection, understandable. The challenge for industry lies in meeting the full scope of the EU regulation.”

Software Development Scarcely Involved—Despite the Critical Role of the SBOM

The study revealed a wide range of roles involved in CRA implementation across organizations. In 18 percent of organizations, product managers are responsible for CRA compliance, followed by compliance officers in 17 percent, Chief Information Security Officers (CISOs) in 15 percent, and cybersecurity analysts in 11 percent. Surprisingly, heads of software development are responsible in only 8 percent of companies, even though the Software Bill of Materials (SBOM) represents a crucial element for fulfilling CRA requirements. Under the regulation, all manufacturers delivering connected products to the EU are required to provide an SBOM as part of their technical documentation. This document must include detailed information about every individual software component, ensuring transparency, traceability, and accountability throughout the product’s lifecycle.

“The SBOM is the weakest link in the compliance chain for the Cyber Resilience Act,” said Jan Wendenburg, CEO of ONEKEY. He explained: “The CRA requires a precise inventory of all components, libraries, frameworks, and dependencies — including exact version numbers, license information, and an overview of all known vulnerabilities. If even one of these components contains an exploitable vulnerability that has already been used in an attack, the affected product or software version may not be placed on the market. For existing products, authorities must be notified within 24 hours. Considering that more than 2,000 new software vulnerabilities emerge every month, this is no easy task — and without automated verification, it’s practically impossible to manage.”

Over 40 Percent of Companies Now Have CRA-Specific Structures

To understand how organizations are addressing the cross-functional and interdisciplinary requirements of the Cyber Resilience Act, ONEKEY asked whether firms have created dedicated collaboration structures. The findings: 28 percent have set up working groups across departments, while 13 percent have even formed dedicated CRA teams. Nearly a third (32 percent) of respondents, however, have no specific team structure for handling CRA compliance.

Among the companies with dedicated structures, 18 percent said their CRA teams include four to ten people, and 15 percent said up to three people are involved. In nearly 8 percent of cases, more than ten employees work on CRA implementation — covering everything from product development and SBOM creation to vulnerability management and compliance processes.

“It’s encouraging that more than 40 percent of organizations have established some form of internal structure to manage CRA implementation,” Jan Wendenburg noted. “Ultimately, cybersecurity isn’t about ticking regulatory boxes — it’s about protecting the company from increasingly sophisticated cyberattacks with potentially dramatic consequences.”

ONEKEY offers a fully automated Product & Cybersecurity Compliance Platform that streamlines SBOM creation, vulnerability management, and compliance verification — saving organizations significant time, cost, and effort.

For companies just beginning their CRA journey, ONEKEY also provides a CRA Readiness Assessment Workshop, offering a hands-on introduction to the regulation. Participants learn how the CRA specifically impacts their organization and receive a personalized evaluation plan. Through a detailed process review, the workshop assesses key areas such as software development and vulnerability management, while a gap analysis identifies compliance weaknesses and provides practical steps for remediation. At the end of the workshop, each company receives a tailored roadmap showing how to structure and efficiently implement CRA requirements in a way that strengthens both compliance and cybersecurity resilience.

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Further information: ONEKEY GmbH, Sara Fortmann, email: sara.fortmann@onekey.com, Toulouser Allee 19A, 40211 Düsseldorf, Germany, web: onekey.com

PR Agency: euromarcom public relations GmbH, Mühlhohle 2, 65205 Wiesbaden, Germany, email: team@euromarcom.de, web: www.euromarcom.de

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Reports and research