- “In future, smart-connected devices must comply with the new EU Cyber Resilience Act. Otherwise, it will be illegal to sell them in the European Union. Manufacturers face fines of up to 15 million euros or 2.5 percent of their annual global turnover,” reminds Jan Wendenburg, CEO of the German cyber security specialist ONEKEY.
- Thousands of companies outside Europe in Asia and America are also affected by the new EU regulation.
DUESSELDORF, Germany – Last year, the European Union (EU) introduced a new regulation that will affect all manufacturers who supply connected electronic products to EU countries: the EU Cyber Resilience Act (CRA). The CRA makes manufacturers responsible for the cybersecurity of their products, not just at the point of sale but throughout the entire product lifecycle. Once the CRA takes effect, selling smart connected devices without regular cyber resilience testing will be illegal in Europe. Violations could result in fines of up to €15 million ($16.75 million) or 2.5% of annual global turnover, whichever is higher.
Jan Wendenburg, CEO of ONEKEY, stated: “At ONEKEY, we are fully prepared to test internet-connected electronic products for compliance with EU cybersecurity regulations before they enter the European Union market. Products that fail to meet the CRA requirements will not be eligible for the CE mark, which is mandatory for sale within the EU.”
A Thriving and Expanding Market in Europe
The European Union, comprising 27 countries and a population of around 448 million, currently hosts nearly 20 billion connected devices. These include smart home appliances, connected vehicles, industrial sensors, and medical devices. By 2030, the number of connected digital products in use within the EU is projected to reach 30 billion. As a result, the market is expected to grow from €120 billion in 2024 to between €250 billion and €300 billion by 2030. “No international manufacturer of electronic products will want to miss out on the European market,” says cybersecurity expert Jan Wendenburg.
He also points to another regulatory peculiarity in the European Union: If artificial intelligence (AI) is used in networked devices, either directly or via a cloud connection, the EU Artificial Intelligence Act (EU AI Act) must also be observed via the EU Cyber Resilience Act if international companies want to sell electronic products in the countries of the European Union.
Scope and Implications for Manufacturers, Importers, and Dealers
ONEKEY CEO Jan Wendenburg points out that the CRA regulation applies not only to product manufacturers, but also to distributors, i.e. importers and retailers who sell connected devices within the EU. The Cyber Resilience Act also covers all online platforms through which consumers or businesses can purchase electronic products in European countries, without exception. “There is no loophole,” says Jan Wendenburg, “as soon as a product of any type or origin has an internet connection, the strict requirements of the EU CRA legislation apply.”
Because of the need for continuous software updates, it is necessary to prepare a networked device for distribution in the European Union right from the development phase. “EU legislation is based on security by design,” explains Jan Wendenburg. “With a development time of one and a half to three years, depending on the product category, it is therefore high time to focus on an EU-compliant product range,” says the ONEKEY CEO.
Product Cybersecurity & Compliance Platform Ensures EU Compliance
ONEKEY operates a Product Cybersecurity & Compliance Platform (PCCP) that enables international manufacturers, distributors and retailers to automatically check their networked devices, machines and systems for compliance with the European Union’s Cyber Resilience Act. This includes all Operational Technology (OT) and Internet of Things (IoT) product classes.
In just a few minutes, a fully automated audit can provide a detailed analysis of vulnerabilities in product software and assess their relevance. The audit also identifies potential compliance violations, saving both time and money. The resulting documentation can serve as evidence for cybersecurity compliance, helping manufacturers and distributors demonstrate to EU authorities that they meet the highest standards of compliance. “In case of doubt, it’s not only crucial to comply with regulations, but also to document this compliance in a legally effective manner,” emphasizes Jan Wendenburg. “The ONEKEY Product Cybersecurity & Compliance Platform offers both: comprehensive testing of connected products and verifiable proof for EU institutions.”
In the past, the European Union has repeatedly imposed draconian fines on international companies for violating various EU regulations and laws. Examples include Apple (€13 billion, 2016), Google (€4.34 billion, 2018), Amazon (€746 million, 2021), Samsung (€145 million, 2013), Sony, Panasonic and Sanyo (€166 million, 2016) and ChemChina (€68 million, 2017). “The EU is not afraid to go after the big players, so it is even less afraid of fining smaller and medium-sized companies for non-compliance with EU rules,” says Jan Wendenburg.
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of an automated Product Cybersecurity & Compliance Platform (PCCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated software bill of materials (SBOM) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated Compliance Wizard™ already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform and ONEKEY Cybersecurity Experts.
Contact us: ONEKEY GmbH,
Kaiserswerther Str. 45, 40477 Duesseldorf, Germany,
Sara Fortmann, e-mail: sara.fortmann@onekey.com,
website: https://onekey.com
