News from the Wire

ONEKEY: Cyber Resilience Act enters Phase 1

Thursday, February 05, 2026 — 15:58:09 (UTC)

ONEKEY: Cyber Resilience Act Enters Phase 1 – Reporting Requirements for Manufacturers Begin in 2026

The CRA (Cyber Resilience Act) will enter its operational phase this year, introducing reporting requirements. Manufacturers must act quickly.

Düsseldorf, 5 February 2026 – The Cyber Resilience Act will have its first direct regulatory impact in 2026. Manufacturers of digital devices, machines and systems with an internet connection will be required to comply with new reporting and security obligations. This is highlighted by ONEKEY, a Düsseldorf-based cybersecurity company that operates a platform for analyzing device firmware for security vulnerabilities and CRA compliance.

Reporting Requirement for Manufacturers from September 11, 2026

The Cyber Resilience Act officially came into force on 10 December 2024, setting out a key timeline for affected companies. From September 11, 2026, manufacturers will be required to actively report exploited vulnerabilities as well as serious security incidents. Under the regulation, manufacturers must notify the relevant authorities of security vulnerabilities and security-related incidents as soon as they become aware of them, and within strict time limits. To support this process, the EU Agency for Cybersecurity (ENISA) is establishing a centralized CRA Single Reporting Platform (SRP), through which all reports must be submitted in future.

The CRA's comprehensive requirements, including security by design, lifecycle management and CE marking under CRA conformity assessment, will apply in full from 11 December 2027. "The operational phase of the Cyber Resilience Act will begin in 2026," said ONEKEY Managing Director Jan Wendenburg.

Starting on June 11, 2026, the first conformity assessment bodies (CABs) will start to check product conformity. These CABs are accredited, independent testing laboratories. This enables manufacturers to obtain external CRA conformity certification. ONEKEY CEO Jan Wendenburg explained the urgency of this process: "The manufacturers concerned must have their internal processes, documentation, technical evidence, and safety requirements in place by then at the latest so that a CAB can test their products." External conformity assessment is mandatory for products with a high safety risk (CRA classes "critical" and "highly critical"), such as critical infrastructure components, IoT devices with high damage potential, and industrial control systems.

"However, a self-declaration is sufficient for around 90 percent of all networked products," Jan Wendenburg clarified. This is a declaration by the manufacturer that the digital product meets the CRA's requirements and is being legally placed on the market. The declaration must include a detailed conformity assessment, which can be carried out via the ONEKEY platform. From 11 December 2027 onwards, products without such a declaration may no longer be sold on the EU market.

Manufacturers Must Act Now

Jan Wendenburg explained: "It's time for manufacturers to subject their networked devices, machines, and systems to a CRA conformity assessment." Based on his experience with relevant tests on the ONEKEY platform, he knows that "gaps often emerge, and many of them are difficult to resolve. Manufacturers should be prepared to invest the necessary time, money, and personnel to meet the legal requirements that will be imposed on them.” He cites vulnerabilities in external programs from partners outside the EU with little understanding of CRA compliance, as well as purchased components with incomplete documentation and open-source software, as examples.

ONEKEY’s Managing Director added that the first step for manufacturers is to create a software bill of materials (SBOM) for each networked product, which is often challenging in practice. The purpose of an SBOM is to identify software components that may contain vulnerabilities that could be exploited by attackers, enabling them to be addressed quickly and systematically. To this end, the Cyber Resilience Act requires a comprehensive inventory of all software elements, including programs, libraries, frameworks, and dependencies, along with their exact version numbers. Manufacturers must also document licensing information, authorship, and any known vulnerabilities or security gaps associated with each component. According to Wendenburg, many manufacturers struggle to meet these requirements because they do not receive sufficient or reliable information from their suppliers. “Many SBOMs are incomplete, outdated, or lack the necessary context around vulnerabilities,” he said. “Such SBOMs fail to meet the mandatory documentation standards under EU regulations and offer little practical value for compliance or security purposes.”

Most of the Effort Can Be Automated

However, CRA requirements extend well beyond providing an accurate SBOM. Manufacturers must implement security measures during the design and development phases of their products. These requirements include secure software and hardware designs, clear vulnerability management guidelines, end-to-end risk management, and mandatory security updates throughout defined product lifecycles. "These measures must be implemented, evaluated, documented, and verified," said Jan Wendenburg, outlining the effort involved.

He concluded: "The first implementation phase of the Cyber Resilience Act is undoubtedly a milestone for digital security in Europe, but it also requires considerable effort from manufacturers."

ONEKEY is the leading European specialist in Product Cybersecurity & Compliance Management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The unique combination of the automated ONEKEY Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services provides fast and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product purchasing, design, development, production to end-of-life.

Critical vulnerabilities and compliance violations in device firmware are automatically identified in binary code by AI-based technology in minutes – without source code, device, or network access. Proactively audit software supply chains with integrated Software Bills of Materials (SBOMs) generation. "Digital Cyber Twins" enable automated 24/7 post-release cybersecurity monitoring throughout the product lifecycle.

The patent-pending, integrated ONEKEY Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R 155 and many others.

The Product Security Incident Response Team (PSIRT) is effectively supported by the integrated automatic prioritisation of vulnerabilities, significantly reducing the time to remediation.

Leading international companies in Asia, Europe and the Americas already benefit from the ONEKEY Product Cybersecurity & Compliance Platform (OCP) and ONEKEY Cybersecurity Experts.

Further information: ONEKEY GmbH, Sara Fortmann, email: sara.fortmann@onekey.com, Toulouser Allee 19A, 40211 Düsseldorf, Germany, web: onekey.com

PR Agency: euromarcom public relations GmbH, Mühlhohle 2, 65205 Wiesbaden, Germany, email: team@euromarcom.de, web: www.euromarcom.de

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.

Source: Company press release.

Categories: Announcement