As the connected device market matures, so too does its threat surface. And with the EU Cyber Resilience Act (CRA) officially in force as of December 2027, IoT manufacturers are now facing a new kind of liability. What used to be considered "security debt" — those known issues deprioritized in the name of speed or cost — has become "compliance debt" that could carry massive financial and reputational risk.
That shift was front and center in our recent webinar with Beecham Research and Aeris, where we dug into the real-world impact of the CRA and other global regulations. You can now watch the full webinar on demand.
IoT security has always posed unique challenges compared to traditional IT. Device manufacturers often rely on extensive third-party code and have limited visibility into their full software stack. Devices are deployed in the field for years, sometimes decades, with no easy way to update or monitor them. And because IoT sits at the intersection of embedded software, connectivity, and cloud services, securing the entire lifecycle is a cross-functional, multi-organization problem.
In the webinar, I described it like this: while IT teams can patch and control endpoints directly, IoT operators often can’t touch the internals of the devices they deploy. They’re dependent on the upstream supply chain to ship secure code. And when things go wrong, traditional security tools aren’t designed to detect or mitigate attacks that originate from the firmware level.
The CRA changes the equation. Its requirements are broad and deep, demanding:
These aren’t guidelines — they’re enforceable, with penalties up to €15 million or 2.5% of global annual revenue.
It’s a high bar. But it’s a good one. As we discussed during the webinar the CRA is having a very positive impact on security. It’s forcing manufacturers to invest in areas they’d deprioritized for too long.
Here’s the reality: IoT has been accumulating technical security debt for years. That debt is now showing up as compliance risk. Vulnerabilities you ignored or couldn’t find are now subject to audit. Your suppliers' code quality is now your responsibility. If you’re not managing risk across the entire software supply chain, you’re out of step with the new normal.
And it’s not just the EU. As we discussed in the webinar, U.S. initiatives like the Cyber Trust Mark and FDA mandates for medical devices are moving in parallel. Global manufacturers will have to meet the strictest standards, and that means real investment in product security.
So what can you do today?
Finite State helps product security and compliance teams take on all of the above. From binary SCA and vulnerability management to SBOM lifecycle and CRA conformity assessments, we’re working with leading manufacturers to close the gaps before regulators (or attackers) find them.