21.10.2025 – 14:04

ONEKEY GmbH

ONEKEY Report: Industry Needs to Catch Up On Cybersecurity Standards

ONEKEY Report: Industry Needs to Catch Up On Cybersecurity Standards

ONEKEY IoT & OT Cybersecurity Report 2025: More than half of companies have begun to align with the EU Cyber Resilience Act, but there is still work to be done to put it into practice.

Düsseldorf, October 21, 2025 – As the EU Cyber Resilience Act nears the end of its transition period in 2026/27, industry preparation is under way—but progress needs to accelerate, particularly around the technical standards tied to the regulation. According to a new survey by ONEKEY, a Düsseldorf-based cybersecurity firm,38 percent of German companies have already taken initial steps towards CRA compliance, while a further 14 percent report having extensive measures in place.

"It's encouraging that more than half of the companies have already started to follow the new EU regulation," said Jan Wendenburg, the CEO of ONEKEY. The company is making the results of the survey available for free on its website in the "IoT & OT Cybersecurity Report 2025": https://www.onekey.com/resource/iot-ot-cybersecurity-report-2025. The report is based on a survey of 300 companies about their current status and strategy in "Operational Technology" (OT), such as industrial control systems, and the "Internet of Things" (IoT), ranging from smart home devices to industrial robots.

From Industry 4.0 to the IoT Sector

In 2024, the EU adopted a new cybersecurity regulation to strengthen resilience across Europe. It will be phased in, with extensive requirements coming into force between 2026 and 2027. The rules apply not only to core IT and network infrastructure, but also to connected devices, machines and systems that are not traditional computers yet contain digital components and internet access. “That spans the whole Industry 4.0 landscape and the wider IoT sector,” said Jan Wendenburg, outlining the regulation's broad economic impact.

Despite recent adjustments by lawmakers, survey findings indicate that many German companies still have work to do to meet the technical standards set out in the Cyber Resilience Act.

Low Uptake of IEC 62443-4-2

Only 27 percent of surveyed companies report aligning with IEC 62443-4-2, the standard that sets technical security requirements for components of industrial automation and control systems (IACS). IEC 62443-4-2 specifies measures for authentication, access control, system integrity, data confidentiality, and more—providing a practical framework to meet technical cybersecurity requirements. Wider adoption would help organisations build a solid basis for future CRA compliance.

The standard specifies requirements for the cybersecurity of components such as embedded systems, network components, host devices, and software applications. These requirements are based on seven foundational requirements: identification and authentication, usage control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability. These are divided into four security levels (SL 0-4), which indicate the degree of protection against different types of attackers, from unintentional misuse (SL 1) to intensive attacks (SL 4). The goal is to describe how well these components (SL-C) can protect against attacks without the need for additional countermeasures.

Low adoption of ETSI EN 303 645

According to the ONEKEY report, a second standard essential to CRA compliance—ETSI EN 303 645—also receives little attention in product development. Only a quarter of the companies surveyed take this norm into account. ETSI EN 303 645 defines cybersecurity requirements for connected consumer devices to ensure baseline protection against cyberattacks.

The standard comprises 13 core requirements, including secure default configurations, protection of personal data, software updates and secure communications. It is closely linked to the EU Cyber Resilience Act, serving as a harmonised standard to meet CRA requirements for IoT devices—particularly around secure development, vulnerability management and transparency. By conforming to ETSI EN 303 645, manufacturers can establish a key prerequisite and foundation for future CRA compliance, including the CE marking required for the EU market.

Adoption of the Radio Equipment Directive (RED) Remains Low

The ONEKEY report indicates that industry still has ground to make up on the RED (EN 18031). Only 16 percent of surveyed companies report aligning with the directive, despite its importance for connected devices, systems and machines. As more industrial equipment, sensors, actuators and other digital products communicate via radio, RED compliance helps ensure electromagnetic compatibility and prevents interference in radio communications. Manufacturers must demonstrate that products—and any radio technologies they embed—meet the directive’s essential requirements before they are placed on the European market. Aligning with RED also positions organizations for the Cyber Resilience Act, which raises the bar on security and assurance.

Jan Wendenburg commented: “With the Cyber Resilience Act, the EU has created a comprehensive set of rules spanning technical standards through to reporting obligations. Full implementation will be a challenge for the industry, but it will soon become a prerequisite for selling, using or operating connected devices, systems and equipment in the EU.”

Support Through Assessment Workshops

ONEKEY helps companies prepare for important government audits by offering workshops that teach practical skills. During the initial sessions, participants learn about the specific impact of RED and CRA on their operations. They also receive an individual assessment plan based on this information. As part of a review of the process, key areas such as software development and vulnerability management are analyzed. A GAP analysis is a tool that identifies existing compliance gaps and shows ways to remedy them. At the end of the workshop, each company receives a roadmap that shows how to meet the requirements of RED and CRA in an organized and efficient way.

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Weitere Informationen: ONEKEY GmbH,  
Sara Fortmann, E-Mail:  sara.fortmann@onekey.com,
Toulouser Allee 19A, 40211 Düsseldorf, Deutschland,  
Web:  https://onekey.com

PR-Agentur: euromarcom public relations GmbH,
Mühlhohle 2, 65205 Wiesbaden, Deutschland,
E-Mail:  team@euromarcom.de, Web:  www.euromarcom.de

- - - -