Regulations Driving IoT Security Forward
From EU CRA to FDA 524B, IoT regulations are reshaping the market. Learn what manufacturers need for compliance—SBOMs, testing, and supply chain visibility.
Robert Kelley
For years, IoT security was treated as optional. Manufacturers could prioritize speed and cost over security, and the market rarely pushed back. That era is ending.
Regulations are rapidly reshaping what it means to build and sell connected products, and for many, compliance is now a condition for market access.
From the EU Cyber Resilience Act to the U.S. Cyber Trust Mark, compliance is no longer a future concern, it’s here. In my work as a penetration tester, I’ve seen how these rules are already shaping conversations with manufacturers, shifting security from a “nice-to-have” to a core business requirement.
The New Regulatory Landscape
Several major frameworks are setting the pace:
- EU Cyber Resilience Act (CRA)
- Applies to connected products sold in the EU.
- Requires manufacturers to demonstrate secure-by-design development, including vulnerability management, incident response, and security updates throughout the product lifecycle.
- SBOMs and vulnerability disclosure are expected to be central.
- Enforcement: products that don’t comply may be barred from sale in the EU.
- Applies to connected products sold in the EU.
- CE RED Article 3.3
- Targets radio and wireless-enabled devices in Europe.
- Requires protections around network communications, personal data, and fraud prevention.
- Compliance is tied to CE marking, meaning manufacturers can’t legally sell non-compliant products in the EU.
- Targets radio and wireless-enabled devices in Europe.
- U.S. Cyber Trust Mark
- A voluntary labeling program (administered by NIST and FCC) for consumer IoT products.
- Requires conformance to NIST baseline security standards (no default passwords, vulnerability management, secure update mechanisms, data protection).
- Expected to become a de facto market requirement as retailers and consumers prefer labeled devices.
- A voluntary labeling program (administered by NIST and FCC) for consumer IoT products.
- FDA Section 524B (Medical Device Cybersecurity)
- Applies to connected medical devices in the U.S.
- Mandates SBOMs, vulnerability management, coordinated disclosure, and secure update capabilities.
- Manufacturers must submit cybersecurity documentation as part of premarket submissions.
- Applies to connected medical devices in the U.S.
- Automotive / Transportation Sector Rules
- UNECE WP.29 (R155/R156) requires automakers to maintain a cybersecurity management system (CSMS) and provide software update management systems (SUMS).
- In practice, this means SBOMs, ongoing vulnerability monitoring, and regular security testing.
- UNECE WP.29 (R155/R156) requires automakers to maintain a cybersecurity management system (CSMS) and provide software update management systems (SUMS).
These are just a few examples, but the message is clear: secure-by-design is no longer optional.
What It Means for Manufacturers
These regulations aren’t just checklists; they represent a shift in how IoT products are expected to operate. Moving forward, Manufacturers must:
- Design for security from the start instead of bolting it on later.
- Maintain visibility into the software supply chain with SBOMs and continuous vulnerability monitoring.
- Prove security controls through testing, including penetration testing and vulnerability management.
- Document compliance to regulators and, increasingly, to customers and partners.
For companies that delay, compliance will feel like a scramble. For those that act now, it’s an opportunity to build trust and differentiate in the market. Products that can demonstrate compliance — and prove it through testing and documentation — gain a competitive advantage.
“Security isn’t just a requirement; it’s a selling point.”
How Finite State Helps
Finite State is built to align directly with these new requirements. By combining platform automation with expert services, Finite State helps manufacturers not only meet compliance but also reduce risk and accelerate time-to-market.
- SBOM Management — generate, manage, and continuously enrich SBOMs to meet regulatory demands.
- Automated Vulnerability Analysis — detect and prioritize issues across firmware, binaries, and source code.
- Penetration Testing & Services — provide the independent validation regulators expect.
- Compliance Reporting — demonstrate conformance to CRA, FDA 524B, UNECE, and more with exportable reports and audit trails.
Preparing for What’s Next
Compliance can’t be an afterthought. It requires visibility into your software supply chain, the ability to generate and manage SBOMs, continuous monitoring for vulnerabilities, and independent validation through testing.
Manufacturers who wait until the last minute will be scrambling. Those who invest now will be ready — and stronger for it.
Learn More
Discover how Finite State helps organizations navigate global IoT regulations with confidence.
Tags
Robert Kelley
Robert is Services Lead and a Senior Penetration Tester at Finite State, with deep experience spanning offensive and defensive security. He’s led high-impact cybersecurity initiatives at organizations like Raytheon, the Federal Reserve, and Synopsys, bringing expertise in embedded systems, DoD frameworks, and tailored risk-driven solutions. Known for bridging red and blue team roles, Robert takes a holistic, mission-focused approach to securing critical systems.
