Secure by design, or else
The EU’s Cyber Resilience Act lands this year, and the IoT industry is running out of time to pretend it’s ready.
In July last year, Google filed a lawsuit against the operators of a botnet called BadBox 2.0. If you missed it, the short version is this: over ten million IoT devices, smart TVs, digital picture frames, in-car infotainment systems, cheap Android streaming boxes, were found to have malware pre-installed on them. Not hacked after purchase. Not compromised through a dodgy firmware update. Infected before the buyer even opened the box. The FBI put out a public advisory. Google pulled apps from the Play Store. And somewhere in a factory, probably several factories, someone had made a decision that shipping a product with embedded malware was an acceptable business practice.
I keep coming back to that number. Ten million devices. Not ten million users who clicked a bad link or ignored a security warning. Ten million people who bought something, plugged it in, and were compromised before they’d finished reading the setup instructions. There’s something about that which feels different from the usual cybersecurity horror stories. It’s not about negligence on the user’s part. It’s about what the industry decided was good enough.
Which is probably why the EU decided that asking nicely wasn’t working anymore.
The Cyber Resilience Act, the CRA, has been talked about for a while now, but 2026 is the year it actually starts to bite. The first conformity assessment bodies begin checking products in June. By September, manufacturers are legally required to report actively exploited vulnerabilities. And the penalties, if you’re wondering, go up to fifteen million euros or two and a half percent of global annual turnover, whichever is higher. This isn’t a gentle nudge. It’s the kind of enforcement framework that tends to concentrate the mind.
I should be honest here, I’m not a security expert. When it comes to the technical depth of cybersecurity, I’m still learning. What I do notice, though, is the conversations changing. At a Thames Valley IoT meetup last November, Robin Kennedy presented on CHERI, a hardware security architecture backed by a £21 million UKRI and Innovate UK funding package. It was a useful session, the kind that makes you realise the ground is shifting. Not a new sensor platform or a clever edge computing use case. Security as a foundational concern, not an afterthought.
See what's happening at UKRI here
The core principle of the CRA is something called “secure by design.” In plain language, it means you can’t ship first and patch later. Security has to be built into the product from the start, maintained throughout its lifecycle, and documented in a way that’s auditable. Manufacturers need to produce a Software Bill of Materials, an SBOM, which is essentially a complete inventory of every software component in the device, every library, every dependency, every version number, so that when a vulnerability is discovered, it can be traced and addressed. They also need to conduct regular penetration testing, run vulnerability scans, and report incidents to regulatory bodies within specific timeframes.
If you’re Siemens or Qualcomm, this is a headache but a manageable one. You have compliance teams. You have security architects. You have legal departments that read directives like these for breakfast. But what about a five-person startup building connected sensors for agriculture? Or a small manufacturer in Shenzhen making the kind of affordable IoT modules that power half the hobby projects and small commercial deployments across Europe? The regulation doesn’t distinguish by company size. The requirements are the same whether you’re turning over fifty billion or five hundred thousand.
I’m genuinely uncertain about where this lands. On one hand, the principle is hard to argue with. The IoT industry has accumulated years of what you might call security debt, treating protection as something to be bolted on after the fact, if at all. GlobalSign published an assessment earlier this year that put it bluntly: security maturity hasn’t caught up with IoT deployment. The cultural shift required, treating security as foundational rather than optional, is still incomplete. When you look at the BadBox story, or the fact that manufacturing has been the number one target of IoT security threats for four consecutive years according to IBM’s threat intelligence data, the case for regulation is pretty straightforward. Someone needed to force the issue because the market wasn’t doing it on its own.
IoT Collective UK MeetUp, 22nd April 2026 @ PlusX, Slough
Our next meetup is confirmed for 22nd April 2026 at Plus X Innovation, Slough 🙌
But then I think about the kinds of companies that make IoT interesting. The small teams building things with limited resources. The ones who chose this space because a good idea could still compete without needing enterprise-scale infrastructure behind it. And I wonder whether the compliance burden will end up consolidating the market in ways we don’t want. If you need a dedicated security infrastructure, a compliance-as-a-service subscription, legal advice on SBOM documentation, and the capacity to run ongoing vulnerability management across a product’s entire lifecycle, that’s a significant overhead. For companies already operating at the margins, it could be the thing that tips the economics from viable to impossible.
There’s an emerging ecosystem trying to address this. Compliance-as-a-service platforms, third-party security validation providers, shared infrastructure for vulnerability monitoring. Quectel, one of the bigger module suppliers, announced just this month that they’re leaning on third-party validation ahead of the CRA deadlines. Even at the module level, people are feeling the pressure. But the ecosystem is young, and it’s unclear whether the tools will mature fast enough to help the companies that need them most. The ones who aren’t Quectel-sized.
I’ve been thinking about this through the lens of what happened with 2G and 3G network shutdowns, another major shift the IoT world has been navigating. When those networks started switching off, the companies that had built products on legacy connectivity suddenly had to adapt or die. Some managed it. Many didn’t. The pattern was similar, a long-announced change that everyone knew was coming but that a surprising number of businesses hadn’t adequately prepared for. The CRA feels like it might follow the same trajectory. The deadlines have been published, the requirements are clear, and yet the general sense, if the industry publications are anything to go by, is that most companies are not ready. A 2025 industry retrospective described the year as going “from calamity to promise and peril,” which is about as honest a summary as you’ll find.
What I’m not sure about, and I’ll admit this openly, is whether the regulation will create the outcome its designers intend. There’s a version where the CRA raises the floor for the entire industry, where secure by design becomes the norm rather than the aspiration, and where consumers can actually trust the devices they bring into their homes and businesses. That’s the optimistic reading. But there’s also a version where it primarily benefits the large incumbents who can absorb the compliance costs, while pushing smaller innovators out of the European market entirely. Where the net effect is fewer players making safer but more expensive devices, and the innovation that makes IoT interesting in the first place migrates to less regulated markets.
The honest answer is probably that both things happen at once, which is what makes regulation like this so difficult to evaluate until years after the fact. The principle is right. The execution will be messy. And the people it hits hardest won’t be the ones who were shipping malware-laden digital picture frames.
I’ll be watching closely how this plays out in our community over the next six months. The September deadline in particular feels like a moment where we’ll start to see which companies have been preparing and which have been hoping it would somehow go away. If you’re building IoT products right now, regardless of scale, the CRA is probably the most important piece of regulatory context you need to understand. Not because it’s perfect, but because it’s real, it’s coming, and the fines suggest they’re not bluffing.
Whether it ends up protecting the ecosystem or reshaping it beyond recognition is, I think, a question we won’t be able to answer for a while yet.
Reference links:
IoT Security in 2026: Regulation, Standards & Trust — GlobalSign
Quectel leans on third-party security validation — IoT Business News