A new cybersecurity report finds few companies are prepared for the EU’s Cyber Resilience Act, which will require software component lists for connected devices.
As the number of internet-connected devices in healthcare and other industries grows, a new report from cybersecurity firm ONEKEY finds that most organizations are unprepared for upcoming European Union (EU) regulations designed to enhance digital resilience. The “IoT & OT Cybersecurity Report 2025” reveals that only 12% of surveyed German industrial organizations have a complete Software Bill of Materials (SBOM)—a detailed inventory of all software components—for their networked systems.
This low adoption rate comes as the EU’s Cyber Resilience Act (CRA) is set to mandate SBOMs for all products with digital elements sold in the EU by 2027.
The report, which surveyed 300 German companies on Internet of Things and operational technology security, found that while 44% are addressing the issue, 25% have no SBOM for any of their digital devices. Another 25% were uncertain about their status.
“The result is surprising, as the Cyber Resilience Act will require a Software Bill of Materials for all products with digital elements by 2027 at the latest,” says Jan Wendenburg, CEO of ONEKEY, in a release. “This is an EU regulation, not just a directive. This means that this cybersecurity standard will become legally effective immediately in accordance with EU timelines, without requiring national implementation. Therefore, there will be no delay due to the implementation of the CRA in Germany, as is the case with the NIS2 cybersecurity standard.”
Companies May Underestimate SBOM Challenge
According to the report, most companies do not consider creating an SBOM to be the biggest challenge in meeting CRA requirements. Only 29% of respondents consider creating an SBOM to be particularly difficult. In contrast, more companies (37%) view the CRA’s mandate to report security incidents within 24 hours as the biggest challenge. ONEKEY suggests this perception underestimates the complexity of generating and maintaining accurate SBOMs.
“In an industrial environment, obtaining an up-to-date and complete Software Bill of Materials is anything but easy,” says Wendenburg. Wendenburg notes that complex supply chains, outdated or proprietary components in machinery, and a lack of understanding from suppliers outside the EU create significant hurdles.
The CRA will require all manufacturers supplying connected products to the EU to provide an SBOM as part of their technical documentation. This SBOM must contain detailed information about the various software components. However, many suppliers would have difficulty compiling a complete SBOM because their upstream suppliers would not provide them with complete information. “Overall, the CRA requires detailed documentation of all programs, libraries, and components, including exact version numbers, license information, author details, and an overview,” says Wendenburg in a release.
According to the Düsseldorf-based security company that operates a platform for automatically generating SBOMs, creating an SBOM is not a one-time effort. Rather, the SBOM must be kept up to date on an ongoing basis. ONEKEY reports that the German Federal Office for Information Security recorded an average of more than 2,000 software product vulnerabilities per month, 15% of which the office classified as “critical.”
“With around 70 new potential gateways for hackers every day, it is particularly important for all manufacturers to keep track of things. The key challenge for manufacturers is to regularly check whether their products are affected by new vulnerabilities, so they can react quickly and proactively if necessary,” says Wendenburg. “With the CRA, product cybersecurity is important not only on the day a product is delivered but also throughout the entire product lifecycle.”
ID 328405070 | Ai © Angelina Melik Akopyan | Dreamstime.com
We Recommend for You:
