Importers and distributors are considered manufacturers: EU Cyber Resilience Act raises stakes

OEM products become a cyber risk for chain stores, buying cooperatives and many more 

Düsseldorf/Germany, October 24, 2022 – The Cyber Resilience Act aims to close gaps in cybersecurity across the entire supply chain of products and protect consumers and companies from dangerous attacks by hackers. As a result, importers and distributors are also liable now – and in some cases are even considered manufacturers by the EU. „Thus, we have the situation that importers of OEM goods that are labeled only – all the way to Internet providers who make devices available to their customers under their own name – are considered manufacturers and must also fully comply with the regulations for manufacturers,“ says Jan Wendenburg, CEO of ONEKEY. In consequence, every product with digital elements – i.e. a microprocessor – must be protected during its entire life cycle against vulnerabilities that can be exploited by hackers. Associated with this are reporting and due diligence requirements, as well as the creation of a pedigree of all digital components in the form of a Software Bill of Materials (SBOM). So far, however, importers and large distributors of OEM goods from Asia are hardly equipped to deal with this case, and the necessary resources and competencies must be built up quickly in order to carry out these checks. 

EU intervenes in supply chains   
„The EU Commission is thus interfering with the established structures of the IT distribution model. Many companies order white-labeled goods from large Asian manufacturers, who rarely meet the new security requirements of the Cyber Resilience Act and have no primary interest in complying with them. The new regulation, which is right for consumers and users in the economy, thus requires a structural rethinking of the previous trading model,“ Jan Wendenburg of ONEKEY further explains. His company enables software-supported automated analysis of connected smart devices, including all assemblies and components used, to detect previously unknown vulnerabilities. On this basis, ONEKEY can already create a SBOM with the complete DNA of a connected device.  
Companies that adapt their processes in due time can optimize the time-to-market for new products also based on the new regulations and reduce the liability risk. Automated analysis and test routines are a prerequisite, however, because even in the event of an update of one of the components, the security and integrity of the device must continue to be guaranteed. 

Security also for existing devices 
„We deserve to feel safe with the products we buy in the single market,“ stated Executive Vice-President for a Europe Fit for the Digital Age Margrethe Vestager in an EU press release. „It will put the responsibility where it belongs, with those that place the products on the market,“ Vestager further specified. With the concept of „integrated cybersecurity,“ the Commission wants to take countermeasures, she said. „This step is right and important. In recent months, not only the frequency but also the impact of attacks has increased. In addition, it is becoming increasingly clear that there are countless systems in use in connected products and corporate environments alone that still contain numerous vulnerabilities and urgently need to be investigated as well,“ analyzes cybersecurity specialist Wendenburg. Thus, ONEKEY is receiving an increasing number of inquiries from industry and business, and a large number of security vulnerabilities up to possible zero-day exploits could be found and fixed.

Are you wondering if you are prepared for the Cyber Resilience Act? You can book a CRA Readiness Assessment with ONEKEY under the following link: https://onekey.com/cra-readiness-assessment

About ONEKEY:  
ONEKEY is a leading European specialist for automatic security & compliance analyses for devices in industry (IIoT), production (OT) and the Internet of Things (IoT). ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations via automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of the devices, completely without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically fixed. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use, 24/7 throughout the entire product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL, use this platform today – universities and research institutions can use the ONEKEY platform for study purposes free of charge.