EU Cyber Resilience Act becomes a Tour de Force for the Industry

Time-to-market becomes a gamble without automated analysis routines

DĂĽsseldorf/Germany, October 10, 2022  – All products with digital elements – from routers to smart refrigerators to televisions and, above all, any modern industrial equipment – should no longer pose cyber risks to users in the future. This is what the EU Commission is demanding, and with the Cyber Resilience Act – a law on “cyber resilience” (Download preliminary PDF version) – it is stipulating that products “with digital elements,” such as hardware and software, must be protected against vulnerabilities that can be exploited by hackers during their full life cycle in the future. “This law will be a tour de force for the industry. The regulation is overdue and makes a lot of sense, as especially in recent months more and more such vulnerabilities have been mercilessly exploited by smart devices or used as a gateway into networks. However, the time-to-market for new products and equipment will suffer enormously from the set of rules, and without automated analysis and testing routines, the process is almost impossible to map,” says Jan Wendenburg, CEO of ONEKEY. For the first time, the European IoT/ OT security specialist enables software-based automated analysis of binary software to detect previously unknown vulnerabilities – up to zero-day gaps.

Software bill of materials (SBOM) solves many problems

Until recently, neither users nor producers or distributors were aware of the “ingredients” that make up products with digital elements and network connections. This is a problem, though, because the use of third-party code is spiraling out of control. In general, software has long since ceased to be developed in a single source, but it is assembled from modules, i.e. components – whether open-source or binary-licensed software. This component construction method is used in order to lower development costs and save time. The challenge is that the components can contain components again – and so deeply nested, the own firmware can contain malware, bugs or other vulnerabilities all of which the developer is unaware. “Without a robust and reliable code review process, companies cannot be sure of the threats and have, according to the Cyber Resilience Act, one foot in the future punishable space,” Wendenburg continues. ONEKEY is one of the few providers worldwide that can already create the SBOM (Software Bill of Materials) with an automated firmware analysis without source code, and can also continue to maintain this steadily and fully automated during updates.

Industrial control systems particularly at risk

EU legislation also stipulates that producers must guarantee the security and integrity of components or products and systems for a period of five years or the intended life span of a product – the shorter period being relevant. Here, the ONEKEY security expert sees a need to catch up, especially in the case of industrial control systems: “IoT systems are in use in industry – in factories, in service and manufacturing – much longer, even if the producer discontinues the product after five years. Here, companies must be especially aware that the protection of the EU law ends at some point and personal responsibility begins,” warns Jan Wendenburg of ONEKEY. Furthermore, in the near future the marketing of products with known vulnerabilities will be prohibited. This will put an end to the copy-paste engineering that is often common today and which frequently re-integrates undetected or even known bugs into new products. In the future, used components or final results must be tested to prevent old vulnerabilities from being copied into new products. 

Wondering if you are Cyber Resilience Act ready?
ONEKEY’s Cybersecurity experts are ready to support you. Here, you will find more details.  


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150