IoT devices have proliferated across industries, from smart home gadgets to critical infrastructure components. However, this rapid growth has often outpaced security considerations, leading to vulnerabilities that threaten not only individual privacy but also organizational and national security.
In response, governments worldwide have begun implementing regulations that require manufacturers to demonstrate secure design practices, vulnerability management, and ongoing security commitments. This rapidly evolving cybersecurity regulatory landscape is placing increasing demands on IoT manufacturers to meet compliance requirements across multiple frameworks.
The challenge now is to harmonize compliance efforts across regions and frameworks without creating inefficiencies.
From the EU Cyber Resilience Act (CRA) to the U.S. Cyber Trust Mark and beyond, manufacturers must navigate a complex web of regulations while ensuring their products remain secure, resilient, and market-ready.
This guide explores key regulations, technical strategies for compliance, and how Finite State enables manufacturers to meet evolving security requirements.
The European Union has taken a leading role in establishing comprehensive security requirements for connected devices. Two key regulations stand out:
The CE RED framework governs the security and performance of radio-enabled devices sold in the EU. Beyond ensuring electromagnetic compatibility, CE RED requires manufacturers to implement robust security measures, especially around data protection and supply chain security.
The EU Cyber Resiliency Act (CRA) represents a more comprehensive approach to device security. With initial enforcement beginning in 2026 and full implementation by 2027, the CRA mandates that products sold in the EU market must be secure by design and maintained throughout their lifecycle. This isn't a one-time certification but an ongoing commitment to security. Unlike voluntary programs, the CRA makes it illegal to sell non-compliant products in the EU and enacts strict penalties for violations.
What makes the CRA particularly impactful is its global reach. Rather than creating different versions for different markets, many manufacturers selling worldwide will likely implement the highest security standards across their entire product line, effectively making EU regulations a global standard.
In the United States, several frameworks are emerging to address device security:
The U.S. Cyber Trust Mark is a voluntary certification program aiming to improve IoT security transparency. Initially focused on consumer-grade devices such as Wi-Fi routers, the program has expanded to include various connected devices and other product categories, particularly those used by the federal government. Manufacturers that obtain the Cyber Trust Mark must demonstrate strong security practices, including secure data handling, vulnerability disclosure, and resilience against cyberattacks.
Although voluntary, there are indications that the US government may require this certification for products purchased for government use, making it a de facto standard for manufacturers who want to sell to this substantial market.
Executive Order 14028, implemented in May 2022, represents the Biden administration's commitment to improving US government cybersecurity. A key component of this initiative is the mandatory use of Software Bill of Materials (SBOMs) for government-contracted products. Manufacturers supplying devices to federal agencies must provide visibility into their software components, track vulnerabilities, and maintain an incident response framework.
The FDA 524b Program became effective for medical device manufacturers in September 2023. This program requires submitting evidence of cybersecurity commitments as part of the FDA certification process for medical devices. Requirements include SBOMs, vulnerability management plans, incident response procedures, and secure development practices.
"The challenge I see here is that you really need to get this submission right. You're spending a lot of time developing these products, potentially spending millions of dollars of R&D effort... and if there's something they don't like... they reject it." - Larry Pesce, VP of Services.
The trend is clear: comprehensive security requirements are becoming the norm rather than the exception.
Despite the differences between regulatory frameworks, several technical components appear consistently across them. By focusing on these areas, manufacturers can address approximately 80% of compliance requirements across multiple frameworks simultaneously.
Security by design represents a fundamental shift in how devices are developed. Rather than treating security as an afterthought or add-on feature, it integrates security considerations throughout the development process.
This approach includes:
While this shift may increase initial development costs, these investments typically pay off through reduced remediation costs and avoided security incidents.
Regular risk assessments form another critical component of cross-framework compliance. These evaluations examine what components are exposed in products, where vulnerabilities may exist, and how these vulnerabilities might be exploited.
Effective risk management requires:
By systematically assessing risks, manufacturers can prioritize security improvements and demonstrate due diligence to regulators.
Software Bills of Materials (SBOMs) have emerged as a foundational component of security compliance. More than just an inventory of software components, SBOMs enable effective vulnerability management by identifying exactly what software is included in a product. By maintaining enriched SBOMs, manufacturers can track vulnerabilities in real-time and issue patches before cybercriminals exploit them.
"If we know all the software components in our product, we can then leverage enrichment for that... We can do some analysis of which components are actually vulnerable based on this enrichment and this threat intelligence."
SBOMs support compliance by:
SBOMs are required under multiple regulations, including the EU CRA, EO 14028, and FDA 524B.
Security doesn’t end with product release. The ability to update devices securely is a critical compliance requirement across frameworks. This capability ensures that vulnerabilities can be addressed promptly when they are discovered.
Key elements include:
Secure update mechanisms are particularly important for IoT devices, which may remain in use for years after deployment.
A well-defined incident response plan is crucial for regulatory compliance. Manufacturers should establish monitoring systems to detect vulnerabilities, work closely with ethical hackers through vulnerability disclosure programs, and rapidly remediate threats.
This includes:
Real-time monitoring tools provide early warnings of emerging risks, allowing for proactive security measures.
"We need to consider having an active approach about engaging with the security research community so that when there is a new vulnerability, we can respond."
Transparency has become a key theme across regulatory frameworks. For instance, the US Cyber Trust Mark includes a QR code that consumers can scan to view a device's security rating and known vulnerabilities.
This transparency creates market incentives for security: "From a consumer perspective, I can go to Best Buy or Costco, and I can scan the QR codes, and this one's got a rating of 5.5, and this one's got a rating of 9, 9 being better. Maybe I'm gonna spend the extra ten dollars on the one that is currently more secure."
Effective transparency includes:
Finite State provides industry-leading solutions to help IoT manufacturers meet compliance requirements efficiently while strengthening product security. Our platform integrates security into the software development lifecycle, enabling continuous vulnerability assessment and risk mitigation.
By integrating with CI/CD pipelines, Finite State provides:
Finite State automates the creation and management of Software Bills of Materials, providing:
With real-time threat intelligence updates, organizations can proactively identify and mitigate risks before they impact customers or regulatory compliance, with clear indication of priority in what should be addressed first.
Finite State’s expert security team provides comprehensive penetration testing, device assessments, and threat modeling to identify vulnerabilities in IoT products. Our security assessments align with major regulatory frameworks, helping manufacturers prepare compliance documentation and strengthen their security posture. Additionally, our strategic advisory services offer policy-driven consulting, enterprise security program development, and regulatory compliance roadmaps to help organizations navigate complex cybersecurity regulations, including the EU Cyber Resilience Act (CRA), CE Radio Equipment Directive (RED), and the Cyber Trust Mark.
With daily updates to our threat intelligence and CVE database, Finite State enables manufacturers to track emerging vulnerabilities and respond rapidly. Finite State's vulnerability management capabilities include:
For years, security has been viewed as a cost center rather than a fundamental requirement for market success. However, as compliance mandates grow stricter, IoT manufacturers must recognize that strong security practices are no longer optional—they are essential.
The regulatory landscape will continue to evolve, but one thing is clear: Manufacturers that invest in security today will be better positioned for tomorrow’s challenges. With solutions like those offered by Finite State, companies can navigate the complexities of compliance while ensuring their devices remain secure, resilient, and trusted by customers worldwide.
Want to learn how Finite State can help your organization streamline compliance and secure your IoT devices? Contact us today to schedule a consultation.