- Cyber Resilience Act: Effective vulnerability management and the automated generation of software bills of materials will be essential for manufacturers of connected products.
- Winner of the prestigious “Best in Show Award” at the “Embedded World” trade fair.
Düsseldorf — With the Cyber Resilience Act (CRA), the European Union has, for the first time, established a binding legal framework for the cybersecurity of digital products. For manufacturers of connected devices, machines, and systems, this underscores the need to systematically manage security vulnerabilities across the entire product lifecycle. The Düsseldorf-based cybersecurity company ONEKEY provides an effective vulnerability management solution that includes the automated generation of a software bill of materials (SBOM).
While many companies have relied primarily on traditional IT security measures thus far, the CRA requires a significantly more comprehensive approach. In future, manufacturers must be able to identify vulnerabilities early on, assess their risks, provide security updates, and transparently document these processes.
Vulnerability Management Becomes a Regulatory Requirement
These new requirements place structured vulnerability management at the center of compliance. Companies must regularly verify whether their products contain known or newly discovered security vulnerabilities. This includes analyzing all software components that make up modern devices and applications.
The growing complexity of today’s software supply chains is particularly relevant in this context. Many products include hundreds or even thousands of open-source and third-party components. Each of these components can introduce vulnerabilities that may impact the entire product.
Automated Analysis of Firmware and Software Components
Therefore, modern security platforms are increasingly relying on automated analysis to detect risks early on. For instance, the ONEKEY Product Cybersecurity & Compliance Platform allows manufacturers to swiftly scan device firmware and pinpoint known vulnerabilities.
One particular advantage is that the analysis can be performed without access to the source code. Binary files are examined directly, allowing security issues to be detected in complex embedded systems.
Automated vulnerability management also helps companies transparently document software components and systematically prioritize risks. This gives security managers a clear overview of which vulnerabilities are critical and which remedial measures should be implemented as a priority.
This includes a feature for generating enriched SBOMs. These expanded software bills of materials contain all relevant vulnerability information and fully meet industry and regulatory requirements. They list vulnerabilities and their risk classifications and provide supporting documentation and justifications in a single, easy-to-manage file. This transforms the SBOM from a mere bill of materials into a security passport with an integrated risk assessment and all the necessary regulatory evidence.
Continuous Monitoring Throughout the Entire Product Lifecycle
These new features are part of ONEKEY’s “CRA Fast Start” program. This program allows manufacturers of connected devices, machines, and systems to evaluate their products’ compliance with the new EU Cyber Resilience Act in a structured way, eliminating lead times. The program is based on the following pillars: CRA Readiness Assessment, creation of Software Bills of Materials (SBOMs) as a solid foundation for permanent CRA compliance, systematic vulnerability management, and continuous monitoring.
The CRA Readiness Assessment is a structured analysis of a company’s maturity level with regard to CRA requirements. Based on the results, compliance gaps can be identified and prioritized action steps can be defined. Next, continuous vulnerability management and monitoring uncover vulnerabilities and create transparency for software supply chains (through SBOMs). New vulnerabilities, affected libraries, and security-related changes are continuously tracked. These processes support compliance with CRA obligations, as well as the necessary governance and risk management processes.
Strategic Importance for Businesses
The CRA will have far-reaching implications for manufacturers of connected products. To meet regulatory requirements, companies must align their development processes more closely with security and establish new organizational structures.
Professional vulnerability management is therefore a critical component of CRA compliance. Early investment in automated security analysis and structured processes helps reduce regulatory risk while strengthening trust among customers and partners.
“The CRA will permanently transform product development in Europe,” said Jan Wendenburg, CEO of ONEKEY. “In the future, cybersecurity will be viewed not as an add-on feature but as a fundamental prerequisite for digital products in the European market.”
ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.
Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. “Digital Cyber Twins” enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.
The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.
The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.
Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.
Further information: ONEKEY GmbH,
Sara Fortmann, email: sara.fortmann@onekey.com,
Toulouser Allee 19A, 40211 Düsseldorf, Germany,
web: https://onekey.com
