The EU Cyber Resilience Act (CRA) requires industry players to take extensive measures starting this year to ensure the secure development and monitoring of products that can withstand hacker attacks.

According to the survey, the main responsibility for meeting CRA requirements lies with IT security in 46 percent of companies. In just over one-fifth (21 percent), the compliance department holds primary responsibility. In 18 percent of cases, top management is in charge, followed by the legal department in 16 percent, and product development in 15 percent of the organizations surveyed. “The responsibilities need to be more clearly defined and consolidated,” said Jan Wendenburg, CEO of Onekey, analysing the results. “The wide range of CRA stakeholders within the industry reflects the fact that the regulation itself covers a broad spectrum of topics,” he explained.

Manufacturers of connected products must now design their devices, machines, and systems to be secure from the ground up (security by design) and ensure that they continue to meet CRA requirements throughout their entire lifecycle. “This is clearly an area where engineering and product development play a central role,” said Jan Wendenburg, CEO of Onekey. In addition, vendors are required to report any actively exploited vulnerabilities and serious incidents affecting the security of their products within 24 hours to the European Union Agency for Cybersecurity (ENISA) and the relevant national Computer Security Incident Response Team (CSIRT). “That responsibility typically falls to the IT security department,” explained Jan Wendenburg.

Supplier obligations on vulnerabilities

Suppliers are also obligated to provide regular security updates to fix known vulnerabilities and maintain product safety. Equally important is maintaining comprehensive documentation for all products, including a Software Bill of Materials (SBOM), which ensures full transparency and traceability of all software components used. “These tasks usually fall under the remit of development and production,” said Jan Wendenburg.

"However, the related documentation proving compliance with CRA requirements is primarily the responsibility of product management, working closely with the compliance department," he added. Violations of the EU regulation can result in fines of up to €15 million or 2.5 percent of global annual turnover, whichever is higher—making this a critical issue for corporate legal teams. Finally, the risk of personal liability for executives and board members should not be underestimated, which explains why top management is increasingly becoming directly involved in the practical implementation of the Cyber Resilience Act.

Jan Wendenburg emphasised: “The Cyber Resilience Act is truly cross-departmental and cross-functional, which means responsibility within organizations is not immediately clear. What may first appear to be confusion over accountability is, on closer inspection, understandable. The challenge for industry lies in meeting the full scope of the EU regulation.”

Software development roles are scarce but crucial

The study revealed a wide range of roles involved in CRA implementation across organisations. In 18 percent of organisations, product managers are responsible for CRA compliance, followed by compliance officers in 17 percent, Chief Information Security Officers (CISOs) in 15 percent, and cyber security analysts in 11 percent. Surprisingly, heads of software development are responsible in only 8 percent of companies, even though the Software Bill of Materials (SBOM) represents a crucial element for fulfilling CRA requirements. Under the regulation, all manufacturers delivering connected products to the EU are required to provide an SBOM as part of their technical documentation. This document must include detailed information about every individual software component, ensuring transparency, traceability, and accountability throughout the product’s lifecycle.

“The SBOM is the weakest link in the compliance chain for the Cyber Resilience Act,” said Jan Wendenburg, CEO of Onekey. He explained: “The CRA requires a precise inventory of all components, libraries, frameworks, and dependencies — including exact version numbers, license information, and an overview of all known vulnerabilities. If even one of these components contains an exploitable vulnerability that has already been used in an attack, the affected product or software version may not be placed on the market. For existing products, authorities must be notified within 24 hours. Considering that more than 2,000 new software vulnerabilities emerge every month, this is no easy task — and without automated verification, it’s practically impossible to manage.”

CRA-specific teams

To understand how organizations are addressing the cross-functional and interdisciplinary requirements of the Cyber Resilience Act, Onekey asked whether firms have created dedicated collaboration structures. The findings: 28 percent have set up working groups across departments, while 13 percent have even formed dedicated CRA teams. Nearly a third (32 percent) of respondents, however, have no specific team structure for handling CRA compliance.

Among the companies with dedicated structures, 18 percent said their CRA teams include four to ten people, and 15 percent said up to three people are involved. In nearly 8 percent of cases, more than ten employees work on CRA implementation — covering everything from product development and SBOM creation to vulnerability management and compliance processes.

“It’s encouraging that more than 40 percent of organisations have established some form of internal structure to manage CRA implementation,” Jan Wendenburg noted. “Ultimately, cyber security isn’t about ticking regulatory boxes — it’s about protecting the company from increasingly sophisticated cyber attacks with potentially dramatic consequences.”