EU Cyber Resilience Regulation could mean Millions in Fines for Manufacturers, Distributors and Importers

IoT-Security provider ONEKEY offers quick compliance check for Cyber Resilience Act readiness

Düsseldorf/Germany, January 18, 2023 – The EU Commission’s Cyber Resilience Act (CRA) is intended to close the digital fragmentation problem surrounding devices and systems with network connections – from printers and routers to smart household appliances and industrial control systems. Industrial networks and critical infrastructures require special protection. According to the European Union, there is currently a ransomware attack every eleven seconds; in the last few weeks alone, among others, a leading German children’s food manufacturer and a global Tier1 automotive supplier, headquartered in Germany, were hit, with the latter becoming the victim of a massive ransomware attack. Such an attack even led to insolvency at the German manufacturer Prophete in January 2023. To press manufacturers, distributors and importers into action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed. „The pressure on the industry – manufacturers, distributors and importers – is growing immensely. The EU will implement this regulation without compromise, even though there are still some work packages to be done, for example regarding local country authorities,“ says Jan Wendenburg, CEO of the cybersecurity company ONEKEY.

Fines of 15 million Euros – or 2.5 percent of annual revenues

The financial fines for affected manufacturers and distributors are therefore severe: up to 15 million euros or 2.5 percent of global annual revenues in the past fiscal year – the larger number counts. „This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented,“ Wendenburg continues. 

Manufacturers, distributors and importers are required to notify ENISA – the European Union’s cybersecurity agency – within 24 hours if a security vulnerability in one of their products is exploited. Exceeding the notification deadlines is already subject to sanctions.

Manufacturers need to act now on cyber resilience readiness

The Commission’s proposal provides for the new requirements to be in force 24 months after the regulation takes effect. Individual elements, such as the obligation to report security incidents, should already apply after 12 months. „The time horizon is tight, considering that orders for IT products are already being placed with OEM manufacturers this year for the next 12-18 months. Therefore, the timing situation needs to be considered and resolved now, before a product ends up not being launched or delayed due to defects,“ explains Jan Wendenburg of ONEKEY. The company operates a firmware analysis platform for spotting security vulnerabilities in smart and connected devices – from vacuum cleaner robots to industrial control systems worth millions. With a Cyber Resilience Readiness Assessment, ONEKEY offers the possibility for manufacturers, distributors, and importers to check their products for essential requirements of the Cyber Resilience Act, and also to investigate security gaps and provide data content for SBOM (Software Bill of Materials) required by the EU Commission.

In the blog post „EU Cyber Resilience Act: What to watch out for now“ ONEKEY also provides a detailed analysis of the EU Cyber Resilience Act – timing, requirements, and necessary responses. 

ONEKEY is a leading European specialist for automated security & compliance analysis for manufacturing (OT) and Internet of Things (IoT) devices. Using automatically generated „Digital Twins“ and „Software Bill of Materials (SBOM)“ of devices, ONEKEY autonomously analyzes firmware for critical security vulnerabilities and compliance violations, all without source code, device, or network access. Vulnerabilities for attacks and security risks are identified in the shortest possible time and can thus be specifically remedied. Easily integrated into software development and procurement processes, the solution enables manufacturers, distributors, and users of IoT technology to check security and compliance quickly and automatically before use, 24/7 throughout the product lifecycle. Leading companies, such as SWISSCOM, VERBUND AG and ZYXEL, are using this platform today – For research institutions and non-profit organizations, the ONEKEY platform is available at discounted terms & conditions.