0

New study reveals major cybersecurity training gap as EU Cyber Resilience Act deadline nears

A new study by German cybersecurity firm ONEKEY has raised serious concerns about the level of cybersecurity readiness among European businesses, revealing a widening training gap in cyber defence just as stricter regulations loom.

RELATED: ONEKEY transforms SBOMs into ‘Security Passports’ to streamline EU Cyber Resilience Act compliance

According to the IoT & OT Cybersecurity Report 2025, barely 30% of organisations conduct cyber resilience training at least once a year—despite the fast-approaching implementation of the European Union’s Cyber Resilience Act (CRA).

With the first phase of the CRA’s reporting and compliance requirements set to take effect this fall, experts warn that many companies remain dangerously unprepared.

Cyber Resilience Act Raises the Bar for Digital Security

Under the CRA, manufacturers, distributors, and operators of networked devices, machines, and systems must ensure that their products:

ADVERTISEMENT
  • Meet basic cybersecurity standards
  • Are free from known vulnerabilities
  • Receive regular security updates
  • Include a comprehensive Software Bill of Materials (SBOM)
  • Comply with mandatory incident reporting rules

By fall 2027, full compliance will be mandatory across the EU, with heavy financial penalties for violations—making early preparation critical.

Training Deficit Exposes Organisations to Growing Risk

Despite the rising regulatory pressure, ONEKEY’s survey of 300 companies shows that cybersecurity training remains inconsistent:

  • 30% conduct cyber resilience training at least once a year
  • 28% train staff only every one to two years
  • 19% rarely or never provide CRA-related training

For Jan Wendenburg, CEO of ONEKEY, the findings are deeply troubling.

“The low level of training is all the more remarkable given that the threat level remains high,” he said, pointing to German police statistics that recorded more than 130,000 cybercrime cases in a single year, with estimated damages of €180 billion.

Rising Digitalisation and AI Fuel Cybercrime Surge

Wendenburg warns that the situation is likely to worsen as digital transformation accelerates and cybercriminals increasingly exploit artificial intelligence to scale attacks.

Alarmingly, the report reveals that 35% of surveyed companies have already suffered at least one cybersecurity incident linked to non-compliance with CRA requirements.

ADVERTISEMENT

“The CRA’s reporting obligations will take effect this fall,” Wendenburg stressed. “Organisations that delay preparation risk serious operational and financial consequences.”

ONEKEY Offers Pathway to CRA Readiness

To help organisations bridge the compliance gap, ONEKEY has introduced a CRA Readiness Assessment Workshop, designed especially for businesses new to the regulation.

The programme includes:

  • Introductory sessions explaining CRA obligations
  • A tailored assessment of organisational impact
  • In-depth reviews of software development and vulnerability management
  • Gap analysis to identify compliance shortfalls
  • A customised roadmap for structured CRA implementation

This hands-on approach allows companies to move from uncertainty to actionable compliance strategies.

Automated Cybersecurity for a Complex Digital Era

ONEKEY also provides a fully automated Product Cybersecurity & Compliance Platform (OCP) that simplifies compliance through:

  1. Automated SBOM generation
  2. Continuous vulnerability management
  3. AI-driven detection of firmware security flaws
  4. “Digital Cyber Twins” for 24/7 post-release monitoring
  5. Built-in support for major standards, including

    • EU Cyber Resilience Act

    • IEC 62443-4-2

    • ETSI EN 303 645

    • UNECE R 155

Its integrated Compliance Wizard and Product Security Incident Response Team (PSIRT) tools further streamline vulnerability prioritisation, significantly cutting response time during security incidents.

A Call for Urgent Action Ahead of 2027 Deadline

As the countdown to full CRA enforcement continues, the message from ONEKEY’s 2025 report is unmistakable: technology alone is not enough.

Without consistent training, clear governance, and proactive compliance planning, organisations risk falling behind both regulators and cybercriminals.

For Europe’s digital economy, closing the cybersecurity training gap is no longer optional—it is a strategic necessity for resilience, trust, and long-term competitiveness.

More in News

You may also like