Onekey IoT & OT Cybersecurity Report 2025

Industry with room for improvement in cybersecurity standards

The industry is preparing for the end of the transition period of the EU Cyber Resilience Act (CRA) in 2026/27, but should gain momentum in meeting the associated technical standards.

Redaktion Produktion Redaktion Produktion

Published November 13, 2025 - 11:51 a.m.

More than half of the companies have initiated measures to comply with the EU Cyber Resilience Act, but there is a need for improvement in implementation.

(Bild: DhanaStudio - stock.adobe.com)

According to an industry survey by the Düsseldorf cybersecurity company Onekey, 38 percent of companies in Germany have already taken initial steps to comply with the EU regulation, with a further 14 percent having already implemented extensive measures. “It is encouraging that more than half of the companies have already taken steps to comply with the new EU regulation,” explains Jan Wendenburg, the CEO of ONEKEY. The company provides the survey results in the “IoT & OT Cybersecurity Report 2025” free of charge on its website: https://www.onekey.com/de/resource/iot-ot-cybersecurity-report-2025. For the report, 300 companies were surveyed about their current status and strategy in “operational technology” (OT), such as industrial control systems, and “internet of things” (IoT), from smart home devices to industrial robots.

Extensive measures to prevent hacker attacks required

The EU regulation adopted in 2024 to strengthen cybersecurity in Europe is being implemented gradually and requires businesses to take extensive measures to prevent hacker attacks starting in 2026 and 2027. The focus extends beyond the central computer and network systems of companies to devices, machines, and systems that are "not actually" computers but have digital components and internet access. "This includes the entire Industry 4.0 complex and the entire IoT sector," outlines Jan Wendenburg, describing the scope of the new EU cybersecurity regulations for businesses.

From regulatory necessity to competitive advantage

Steuerung & IT

Cybersecurity in industrial communication

The European industry is facing a profound transformation: with the Cyber Resilience Act (CRA), the NIS-2 directive, and other EU requirements, cybersecurity and product resilience are becoming central for manufacturing companies and their suppliers. In the future, security by design and security by default will have to be considered from the very first moment of development and conception of a product. Read here.

Standard IEC 62443-4-2 is little considered

The survey shows that despite the measures already initiated, a large part of the German industry still has room for improvement in meeting the standards associated with the Cyber Resilience Act. Only 27 percent of the companies surveyed consider the IEC 62443-4-2 standard, which defines technical security requirements for components of industrial automation and control systems (IACS). The established IEC 62443-4-2 standard offers established procedures for meeting technical cybersecurity requirements and thus significantly helps achieve future CRA compliance.

Cybersecurity trends 2025

„2025 wird eine Zeit der Prüfung für deutsche Unternehmen“, sagt Alain De Pauw, Divisionsleiter IT Security Services bei Axians Deutschland und Schweiz. Auch Hacker rüsten zunehmend auf und professionalisieren sich im hohen Tempo, wie aus dem BSI-Lagebericht 2024 hervorgeht.

Cybersecurity

How to manage increasing cybersecurity requirements

In 2025, companies must prove that they meet their cybersecurity responsibilities. In this article, you will learn about the key trends in the cybersecurity sector and how companies can best respond to them. Read here.

Requirements for cybersecurity specified by standard

The standard specifies requirements for the cybersecurity of components such as embedded systems, network components, host devices, and software applications, based on seven foundational requirements:

Identification and authentication,
use control, system integrity,
data confidentiality,
restricted data flow,
timely response to events, and
resource availability.

These are divided into four security levels (SL 0-4) that indicate the degree of protection against different classes of attackers, from unintentional misuse (SL 1) to intensive attacks (SL 4). The goal is to define the security capabilities of components (SL-C) so that they are able to fend off attacks without additional countermeasures.

NAVEX study

Compliance-Alarm in deutschen Unternehmen: Neue Zahlen zeigen Schwachstellen in Strategie, Führung und Kultur deutscher Unternehmen auf.

Cybersecurity

German companies underestimate compliance risks

Compliance becomes a matter of survival: a recent study shows how German companies underestimate risks, ignore rules, and steer into a dangerous future with outdated structures - often without realizing it. Read here.

Standard ETSI EN 303 645 receives little attention

A second standard essential for CRA compliance - ETSI EN 303 645 - also receives little attention in product development according to the Onekey report. Only a quarter of the surveyed companies consider this standard ETSI EN 303 645, which sets cybersecurity requirements for connected consumer devices to ensure basic protection against cyberattacks. The standard includes 13 core requirements, including secure default configurations, protection of personal data, software updates, and secure communication. It is closely linked to the EU Cyber Resilience Act as it serves as a harmonized standard to meet CRA requirements for IoT devices, particularly for secure development, vulnerability management, and transparency. Manufacturers can create a significant prerequisite and basis for future CRA compliance by conforming to ETSI EN 303 645, thereby also obtaining the necessary CE marking for the EU market.

Radio standard of central importance for devices and systems

According to the Onekey report, the industry also has a need to catch up with the RED standard (EN18031). This radio equipment directive is currently only observed by 16 percent of the companies surveyed, yet it is of central importance for connected devices, systems, and machines, as more and more industrial machines, sensors, actuators, and other digital products are networked via radio. The directive is intended to ensure that these devices provide electromagnetic compatibility to avoid interference in radio communications. It requires manufacturers to ensure that their products, as far as they use radio technologies, meet the essential requirements before they are placed on the European market. Meeting the requirements of the RED standard is also an important building block for future compliance with the Cyber Resilience Act.

The EU has created a very comprehensive set of regulations with the Cyber Resilience Act, from technical standards to reporting obligations. Accordingly, the challenges for the industry to fully implement the CRA are high. However, this will soon be the prerequisite for selling, marketing, or operating connected devices, systems, and installations in the EU.

Jan Wendenburg, CEO of Onekey

Support through assessment workshops

Onekey supports companies with practical assessment workshops (RED-Readiness and CRA-Readiness). In introductory sessions, participants learn about the specific impacts of RED and CRA on their operations and receive an individual assessment plan based on this. A detailed process review analyzes key areas such as software development and vulnerability management. In addition, a gap analysis uncovers existing compliance gaps and shows ways to address them. At the end of the workshop, each company receives a tailored roadmap that clearly shows how the requirements from RED and CRA can be implemented in a structured and efficient manner.

Expert knowledge and consulting services for comprehensive analysis

Onekey is a specialist in Europe for product cybersecurity and compliance management and part of the investment portfolio of PricewaterhouseCoopers Germany (PwC). The combination of the automated Onekey Product Cybersecurity & Compliance Platform (OCP) with expert knowledge and consulting services offers quick and comprehensive analysis, support, and management to improve product cybersecurity and compliance from product, procurement, design, development, production to end of life. Critical security vulnerabilities and compliance violations in device firmware are identified fully automatically within minutes by AI-based technology in the binary code; without source code, device, or network access.

Proactive review of software supply chains

Through the integrated creation of 'Software Bills of Materials (SBOMs)', software supply chains can be proactively reviewed. 'Digital Cyber Twins' enable automated 24/7 monitoring of cybersecurity even after release throughout the entire product lifecycle. The patent-pending, integrated Onekey Compliance Wizard already covers the EU Cyber Resilience Act (CRA) and requirements according to IEC 62443-4-2, ETSI EN 303 645, UNECE R1 55, and many others. The Product-Security-Incident-Response-Team (PSIRT) is effectively supported by the integrated, automatic prioritization of vulnerabilities, significantly reducing the time to fix. Companies from Asia, Europe, and America are already successfully benefiting from the Onekey Product Cybersecurity & Compliance Platform (OCP) and the Onekey cybersecurity experts.

Source: Onekey

FAQs about the Onekey report

1. What is the EU Cyber Resilience Act (CRA) and when does it come into effect?
The CRA is an EU regulation to strengthen cybersecurity in Europe. It was adopted in 2024 and requires companies from 2026/27 to implement extensive security measures - especially for devices, machines, and installations with digital components or internet access.

2. How well is the German industry prepared for the CRA?
According to a survey by the company Onekey, 38 percent of companies have already taken initial steps and 14 percent have started further measures. However, there is a great need for improvement, especially in implementing relevant technical standards.

3. Which standards are particularly important for CRA compliance?
Central are the standards IEC 62443-4-2 for industrial automation and control systems, ETSI EN 303 645 for connected consumer devices, and the Radio Equipment Directive RED (EN 18031). They form the technical basis for CRA-compliant product safety.

4. What does the IEC 62443-4-2 standard regulate?
This standard defines technical security requirements for components of industrial control systems - from embedded systems to software applications. It is based on seven foundational requirements and four security levels (SL 0-4), which specify different protection levels against attackers.

5. What is the significance of ETSI EN 303 645?
It describes 13 cybersecurity requirements for IoT devices, such as secure default configurations, data protection, software updates, and secure communication. The standard is considered a harmonized basis for meeting CRA requirements and CE marking obligations.

6. Why is the Radio Equipment Directive RED relevant?
The RED directive ensures that devices with radio technologies are electromagnetically compatible and do not cause interference. Compliance is an important prerequisite for offering CRA-compliant and marketable products in the EU.

7. How does Onekey support companies in CRA preparation?
Onekey offers practice-oriented assessment workshops on RED and CRA readiness, detailed gap analyses, and an automated cybersecurity platform. This combines AI-based security analyses, compliance management, "Digital Cyber Twins," and the "Compliance Wizard" to guide companies structurally to CRA fulfillment.