News from the Wire

Cyber Resilience Act requires product adaptations

Wednesday, April 02, 2025 — 23:15:49 (UTC)

Düsseldorf, April 2, 2025 – "Companies that are subject to the EU Cyber Resilience Act (CRA) should hurry to adapt their products to the CRA requirements," says Jan Wendenburg, CEO of the Düsseldorf-based cybersecurity company ONEKEY. He points out that the first CRA regulations will apply from September 2026 and all others from December 11, 2027. "From this date, all networked products must fully comply with the cybersecurity requirements of the Cyber Resilience Act," Jan Wendenburg explained. This applies equally to manufacturers, importers and retailers: Without CRA compliance, the CE mark may not be awarded and the products concerned may no longer be sold in the EU.

The European Commission's Cyber Resilience Act, adopted on December 10, 2024, is the most comprehensive regulation to date on the cybersecurity of connected products in Europe. For all manufacturers of devices "with digital elements", i.e. all smart products, whether for industry, consumers or businesses, time is of the essence, as the new security requirements must be taken into account during product development. "In view of product lifecycles that generally last for many years, the issue of CRA should therefore be given top priority in order to be able to continue selling on the EU market in the future," advised Jan Wendenburg.

“Security by Design” for CRA Compliance

Key elements of CRA compliance are "security by design", continuous risk assessment and vulnerability remediation. In addition, the EU CRA requires a Software Bill of Materials (SBOM) to make software components traceable and to identify risks in the supply chain at an early stage. The CRA classifies products into three security classes: Critical, Important and Other. Each class has its own set of requirements. Supply chain security is particularly important, as vulnerabilities in third-party and open source components can compromise the integrity of the entire system. The implementation period of 24 or 36 months from entry into force on December 10, 2024 is a significant challenge for manufacturers, as product development often takes years. To meet the requirements of the CRA, companies should implement cybersecurity best practices as soon as possible. In addition to the CRA, other regulatory frameworks such as RED II (EN 18031) and IEC 62443-4-2 need to be considered. Dedicated compliance tools can help to meet current and future requirements by providing a fast, easy and therefore efficient cybersecurity assessment of product software. ONEKEY's patent-pending Compliance Wizard is a good example.

"Companies that adapt their product strategy in time will not only secure their market authorisation in the EU, but also their competitiveness. Product lifecycle cybersecurity, proactive compliance and supply chain visibility are becoming essential success factors for all manufacturers in the EU market," explained Jan Wendenburg.

The New CRA Requirements and Their Impact

To meet the new requirements, companies must be able to identify security vulnerabilities in their products and perform continuous monitoring throughout the product lifecycle. This means that each software release must be tested and – while it is active – continuously monitored for potential new vulnerabilities. New vulnerabilities must be continuously assessed and, if necessary, reported and/or mitigated.

The CRA requirements cover the entire lifecycle of smart products – from design and development to operation and decommissioning. Manufacturers are required to provide security updates for their products for a minimum of five years. If the product is used for a shorter period of time, this period can be shortened accordingly. "However, in many industries, product lifecycles of 10 or 20 years or more are not uncommon. This means that monitoring, maintenance, vulnerability management and patch strategies need to be maintained over a similarly long period," said Jan Wendenburg, explaining the challenges.

"The implementation of the Cyber Resilience Act poses significant practical challenges for manufacturers," explained Jan Wendenburg. He gave specific examples: "In industrial manufacturing, where control and production systems are used for decades and regular security updates are required to ensure compliance. In the IoT industry, such as smart home appliances, constant maintenance of the Software Bill of Materials is also required to quickly identify and fix potential vulnerabilities." Companies need to work closely with their suppliers and use third-party software testing tools, such as binary analysis solutions, to ensure security monitoring at the point of receipt and throughout the product lifecycle. "Only automated processes and tools for vulnerability and compliance analysis make it possible to meet the new regulatory requirements in an economically viable and efficient manner," said Jan Wendenburg.

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes - without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Weitere Informationen: ONEKEY GmbH, Sara Fortmann, E-Mail: sara.fortmann@onekey.com, Kaiserswerther Straße 45, 40477 Düsseldorf, Deutschland, Web: www.onekey.com

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Announcement