Hello readers!

This week, we’re looking at the impending EU Cyber Resilience Act and its ramifications, how best to make use of mountains of IIoT data, and more!

September 2026 is no longer an abstract date on someone else's compliance calendar. The EU Cyber Resilience Act's reporting obligations kick in this fall, and for manufacturers of connected devices — from industrial sensors to consumer smart home hardware — the window to get ready has gone from narrow to tight. The CRA is among the most sweeping IoT security regulations ever enacted, covering any product with digital elements sold in the EU and carrying financial penalties significant enough to pull non-compliant products from the market entirely. For IoT teams that have been watching the regulation approach without fully internalizing what it demands, this is a useful moment to reckon with the scope of the work still ahead.

The CRA's core premise is that security can no longer be bolted on after the fact. For years, IoT devices shipped with default credentials that users never changed, firmware that went unpatched for months or years, and no real mechanism for lifecycle updates. Estimates put the share of manufacturers shipping products with known vulnerabilities as recently as 2020 at around 50 percent. The regulation responds to that track record by requiring "secure by default" configurations — meaning a device's out-of-the-box state must be its most secure state, and any security improvements applied through patches should persist even after a factory reset. That's a meaningful architectural constraint, and it requires embedding OTA update infrastructure into the product from the design stage rather than retrofitting it later.

The compliance requirements pile up quickly from there. The CRA also mandates that manufacturers maintain a Software Bill of Materials — a full, current inventory of every software component in a product, including third-party dependencies. For complex IoT systems, generating that inventory in the first place is hard enough. Keeping it accurate as software evolves, fleets scale, and third-party components receive their own updates is the kind of ongoing operational task that requires dedicated process and tooling, not a one-time audit. Add vulnerability disclosure requirements, CE marking obligations, and the need to demonstrate compliance across entire supply chains, and the picture is one of sustained, cross-functional effort rather than a finite project with a completion date.

What makes the CRA particularly consequential beyond Europe is that it doesn't offer a convenient workaround for companies considering other markets. IoT regulatory compliance has gone global, with Japan, India, Brazil, and the US all developing their own frameworks, and the EU standard often functions as the floor. Companies that treat the CRA as a European concern are likely underestimating the regulatory direction of travel. Transforma Insights now ranks compliance ahead of cost and connectivity as the top challenge in IoT deployment, which reflects how seriously practitioners are taking this shift. For manufacturers that export globally or operate at scale, building CRA-compliant processes is increasingly table stakes for market access.

The practical question at this point is where to start if you haven't already. For teams in the middle of product development, the most valuable move is treating the CRA's secure-by-default requirement as a design constraint — which means OTA update infrastructure, code signing, and vulnerability management need to be in the architecture before the product ships. For organizations managing existing fleets, a realistic SBOM and a documented update cadence are the foundation everything else depends on. The September deadline marks when reporting obligations begin, and readiness is already overdue for many.

Walk into most manufacturing plants today, and you'll find one thing in abundance: data. This includes temperature readings from fermenters, flow rates from processing lines, yield reports from execution systems, shift records tucked inside a SQL Server database that's been running since 2011, and more. The problem is using this data; all of it lives in completely different places, speaks completely different languages, and was never designed to talk to each other (sometimes intentionally, not designed to work together).

Standard H.264 video chews through 4–6 Mbps per camera, driving up cellular data costs and limiting how broadly surveillance can scale.

Semtech's integrated Video Compression Solution — combining Digital Barriers' EdgeVis™ AI compression, multi-carrier Smart Connectivity, rugged AirLink® XR60 routers, and AirVantage® management — reduces cellular video data by up to 90% and delivers TCO savings of up to $2,500 per camera over 36 months.

In this episode of the IoT For All Podcast, Matthias Wagner, Founder and CEO of Flux, joins Ryan Chacon to discuss AI-assisted hardware design for IoT. The conversation covers the historical challenges of hardware design, the current capabilities of AI tools, compressing the hardware iteration cycle, integration challenges, the limitations of AI, and enabling IoT innovation.

YouTube • Spotify • Apple • YT Music • Amazon

Interested in becoming an IoT For All Partner? Reach out here!