Thousands of companies outside Europe in Asia and America are also affected by the new EU regulation.
Duesseldorf / Germany / European Union, January 16 2025 – Last year, the European Union (EU) introduced a new regulation that will affect all manufacturers who supply connected electronic products to EU countries: the EU Cyber Resilience Act (CRA). The CRA makes manufacturers responsible for the cybersecurity of their products, not just at the point of sale but throughout the entire product lifecycle. Once the CRA takes effect, selling smart connected devices without regular cyber resilience testing will be illegal in Europe. Violations could result in fines of up to €15 million ($16.75 million) or 2.5% of annual global turnover, whichever is higher.
Jan Wendenburg, CEO of ONEKEY, stated: “At ONEKEY, we are fully prepared to test internet-connected electronic products for compliance with EU cybersecurity regulations before they enter the European Union market. Products that fail to meet the CRA requirements will not be eligible for the CE mark, which is mandatory for sale within the EU.”
A Thriving and Expanding Market in Europe
The European Union, comprising 27 countries and a population of around 448 million, currently hosts nearly 20 billion connected devices. These include smart home appliances, connected vehicles, industrial sensors, and medical devices. By 2030, the number of connected digital products in use within the EU is projected to reach 30 billion. As a result, the market is expected to grow from €120 billion in 2024 to between €250 billion and €300 billion by 2030. “No international manufacturer of electronic products will want to miss out on the European market,” says cybersecurity expert Jan Wendenburg.
He also points to another regulatory peculiarity in the European Union: If artificial intelligence (AI) is used in networked devices, either directly or via a cloud connection, the EU Artificial Intelligence Act (EU AI Act) must also be observed via the EU Cyber Resilience Act if international companies want to sell electronic products in the countries of the European Union.
Scope and Implications for Manufacturers, Importers, and Dealers
ONEKEY CEO Jan Wendenburg points out that the CRA regulation applies not only to product manufacturers, but also to distributors, i.e. importers and retailers who sell connected devices within the EU. The Cyber Resilience Act also covers all online platforms through which consumers or businesses can purchase electronic products in European countries, without exception. “There is no loophole,” says Jan Wendenburg, “as soon as a product of any type or origin has an internet connection, the strict requirements of the EU CRA legislation apply.”
Because of the need for continuous software updates, it is necessary to prepare a networked device for distribution in the European Union right from the development phase. “EU legislation is based on security by design,” explains Jan Wendenburg. “With a development time of one and a half to three years, depending on the product category, it is therefore high time to focus on an EU-compliant product range,” says the ONEKEY CEO.
Product Cybersecurity & Compliance Platform Ensures EU Compliance
ONEKEY operates a Product Cybersecurity & Compliance Platform (PCCP) that enables international manufacturers, distributors and retailers to automatically check their networked devices, machines and systems for compliance with the European Union’s Cyber Resilience Act. This includes all Operational Technology (OT) and Internet of Things (IoT) product classes.
In just a few minutes, a fully automated audit can provide a detailed analysis of vulnerabilities in product software and assess their relevance. The audit also identifies potential compliance violations, saving both time and money. The resulting documentation can serve as evidence for cybersecurity compliance, helping manufacturers and distributors demonstrate to EU authorities that they meet the highest standards of compliance. “In case of doubt, it’s not only crucial to comply with regulations, but also to document this compliance in a legally effective manner,” emphasizes Jan Wendenburg. “The ONEKEY Product Cybersecurity & Compliance Platform offers both: comprehensive testing of connected products and verifiable proof for EU institutions.”
In the past, the European Union has repeatedly imposed draconian fines on international companies for violating various EU regulations and laws. Examples include Apple (€13 billion, 2016), Google (€4.34 billion, 2018), Amazon (€746 million, 2021), Samsung (€145 million, 2013), Sony, Panasonic and Sanyo (€166 million, 2016) and ChemChina (€68 million, 2017). “The EU is not afraid to go after the big players, so it is even less afraid of fining smaller and medium-sized companies for non-compliance with EU rules,” says Jan Wendenburg.
Discussion about this post