Although Software Bills of Materials (SBOMs) are not yet widely used by companies, they will soon become standard thanks to the Cyber Resilience Act (CRA). However, the new Onekey IoT & OT Cybersecurity Report 2025 reveals that, whilst implementation of the Act is fast approaching, many companies are still in the early stages and could strengthen their cyber resilience by using SBOMs.
Updating and securing software is crucial to ensuring that digital systems can withstand cyber attacks. According to Onekey’s new report only 12 percent of German industries have a complete overview of the programmes used in their devices, machines, and systems. A Software Bill of Materials (SBOM) provides this overview – a full list of all the components contained in the software.
For its latest security report, Onekey surveyed 300 German industrial companies regarding OT and IoT security. Forty-four percent confirmed that they are addressing the issue of SBOM. Just under a third (32%) have created an SBOM for some of their networked devices, machines, and systems. However, only 12% have done so for all affected products and systems. Twenty-five percent do not have an SBOM for any of their digital devices. Another 25 percent said they were uncertain about the SBOM issue.
“The result is surprising, as the Cyber Resilience Act (CRA) will require a Software Bill of Materials for all products with digital elements by 2027 at the latest,” said Jan Wendenburg, CEO of Onekey. He clarified: “This is an EU regulation, not just a directive. This means that this cyber security standard will become legally effective immediately in accordance with EU timelines, without requiring national implementation. Therefore, there will be no delay due to the implementation of the CRA in Germany, as is the case with the NIS2 cybersecurity standard.”
And, according to Onekey, the companies surveyed do not consider creating a Software Bill of Materials (SBOM) to be the biggest challenge in meeting CRA requirements. Only 29 percent consider creating an SBOM particularly difficult. By comparison, 37 percent consider the obligation to report security incidents to the relevant authorities within 24 hours to be the CRA’s biggest challenge. According to Onekey, this underestimation of the SBOM effort will prove to be an extraordinary challenge in connection with CRA compliance.”
“In an industrial environment, obtaining an up-to-date and complete Software Bill of Materials is anything but easy,” explained Onekey CEO Jan Wendenburg. Given the wide range of devices, machines, and systems, compiling the relevant information is a huge task for many companies. Additionally, many machines and their control systems are based on outdated and proprietary components, which makes achieving complete transparency nearly impossible. Complex supply chains and a lack of understanding among suppliers outside the European Union of EU-specific regulations further complicate matters.
The Cyber Resilience Act will require all manufacturers supplying connected products to the EU to provide an SBOM as part of their technical documentation. This SBOM must contain detailed information about the various software components. However, many suppliers would have difficulty compiling a complete SBOM because their upstream suppliers would not provide them with complete information. Jan Wendenburg explained: “Overall, the CRA requires detailed documentation of all programmes, libraries, and components, including exact version numbers, license information, author details, and an overview.”
According to the Düsseldorf-based security company that operates a platform for automatically generating SBOMs, creating an SBOM is not a one-time effort. Rather, the Software Bill of Materials must be kept up to date on an ongoing basis. Onekey reports that the German Federal Office for Information Security (BSI) recorded an average of more than 2,000 software product vulnerabilities per month, 15 percent of which the office classified as “critical.”
“With around 70 new potential gateways for hackers every day, it is particularly important for all manufacturers to keep track of things,” Jan Wendenburg said. “The key challenge for manufacturers is to regularly check whether their products are affected by new vulnerabilities, so they can react quickly and proactively if necessary. This is exactly where the Cyber Resilience Act comes in. With the CRA, product cyber security is important not only on the day a product is delivered but also throughout the entire product life cycle. Those who create transparency about potential security gaps can act confidently and in compliance with the law in an emergency.”
