At The Things Conference 2025, I shared a story about a lost suitcase and how one small failure in a global system can break trust instantly.
This simple incident illustrates a much larger truth in the IoT world: when one link fails, the entire chain becomes vulnerable.
🎥 Watch the keynote here: Lost lugage, to lost control.
The Cyber Resilience Act (CRA) will reshape how we design, build, deliver, and maintain connected products.
Beginning in 2025 for wireless devices and fully enforced by December 2027 for all products with digital elements, manufacturers will face strict obligations around:
- Security-by-design & secure architecture;
- SBOM and component transparency;
- Vulnerability handling & coordinated disclosure;
- Secure updates and lifecycle management;
- Supply-chain and open-source software governance.
The message is clear: you cannot retrofit cybersecurity in Q4 2027.
The CRA requires structural change, in engineering, documentation, testing, procurement, and post-market support.
IoT hardware, embedded software, cloud services, and remote data processing are now all in scope.
Companies that start early gain three major advantages:
- Lower long-term compliance cost;
- Avoiding Notified Body bottlenecks;
- Stronger trust and faster market access.
Companies that delay will face redesigns, delays, and blocked shipments.
The CRA isn’t just a regulation, but it’s a shift in mindset. Security can no longer be the last step. It must be the first design decision.
The companies preparing today will lead tomorrow.
