Importers and distributors are considered manufacturers: EU Cyber Resilience Act raises stakes

OEM products become a cyber risk for chain stores, buying cooperatives and many more

DĂĽsseldorf/Germany, October 24, 2022  – The Cyber Resilience Act aims to close gaps in cybersecurity across the entire supply chain of products and protect consumers and companies from dangerous attacks by hackers. As a result, importers and distributors are also liable now – and in some cases are even considered manufacturers by the EU. “Thus, we have the situation that importers of OEM goods that are labeled only – all the way to Internet providers who make devices available to their customers under their own name – are considered manufacturers and must also fully comply with the regulations for  manufacturers,” says Jan Wendenburg, CEO of ONEKEY. In consequence, every product with digital elements – i.e. a microprocessor – must be protected during its entire life cycle against vulnerabilities that can be exploited by hackers. Associated with this are reporting and due diligence requirements, as well as the creation of a pedigree of all digital components in the form of a Software Bill of Materials (SBOM). So far, however, importers and large distributors of OEM goods from Asia are hardly equipped to deal with this case, and the necessary resources and competencies must be built up quickly in order to carry out these checks.

EU intervenes in supplychains

“The EU Commission is thus interfering with the established structures of the IT distribution model. Many companies order white labeled goods from large Asian  manufacturers, who rarely meet the new security requirements of the Cyber Resilience Act and have no primary interest in complying with them. The new regulation, which is right for consumers and users in the economy, thus requires a structural rethinking of the previous trading model,” Jan Wendenburg of ONEKEY further explains. His company enables software-supported automated analysis of connected smart devices, including all assemblies and components used, to detect previously unknown vulnerabilities. On this basis, ONEKEY can already create a SBOM with the complete DNA of a connected device.

Companies that adapt their processes in due time can optimize the time-to-market for new products also based on the new regulations and reduce the liability risk. Automated analysis and test routines are a prerequisite, however, because even in the event of an update of one of the components, the security and integrity of the device must continue to be guaranteed.

Security also for existing devices

“We deserve to feel safe with the products we buy in the single market,” stated  Executive Vice-President for a Europe Fit for the Digital Age Margrethe Vestager in an EU press release. “It will put the responsibility where it belongs, with those that place the products on the market,” Vestager further specified. With the concept of “integrated cybersecurity,” the Commission wants to take countermeasures, she said. “This step is right and important. In recent months, not only the frequency but also the impact of attacks has increased. In addition, it is becoming increasingly clear that there are countless systems in use in connected products and corporate environments alone that still contain numerous vulnerabilities and urgently need to be investigated as well,” analyzes cybersecurity specialist Wendenburg. Thus, ONEKEY is receiving an increasing number of inquiries from industry and business, and a large number of security vulnerabilities up to possible zero-day exploits could be found and fixed.

Are you wondering if you are prepared for the Cyber Resilience Act? You can book a CRA Readiness Assessment with ONEKEY.


ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated Compliance Wizard™ already covers the upcoming EU Cyber Resilience Act (CRA) and existing requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.



Sara Fortmann

Marketing Manager


euromarcom public relations GmbH

+49 611 973 150