When a device becomes a liability –  why compliance is now the foundation of product design? 

A few years ago, asking “is our device safe?” meant checking functional performance, failure rates, and environmental test results. Today, that same question carries a fundamentally different weight. The safety of an embedded device now means resistance to cyberattacks, compliance with legal frameworks, and the manufacturer’s accountability throughout the entire product lifecycle. 

The rapid expansion of IoT, industrial automation, smart buildings, and critical infrastructure has created a new reality. Embedded devices are permanently connected to networks, continuously exchanging sensitive data with cloud platforms, and controlling safety-critical processes. They have also become prime targets for attackers. Cyberattacks on industrial control systems, firmware manipulation, hijacked access control systems, disabled fire panels – these are no longer theoretical threats. 

A new wave of legal requirements and technical standards is fundamentally changing what it means to build an embedded product. Security is no longer something added at the end of a project, it is a certification requirement, part of CE marking, and a condition for market entry. 

The real cost of unprotected devices  

Behind every new compliance requirement, there is a concrete risk that regulators decided could no longer be ignored. 

  • Cyberattacks on critical infrastructure. Industrial control systems fire alarm panels, access control networks, and CCTV systems are increasingly targeted by adversaries. Gaining control of a building’s or facility’s security infrastructure can have catastrophic real-world consequences for human life and safety. 
  • Compromised supply chains. A vulnerability in a single component can compromise the entire product. Regulators are responding with mandatory SBOM requirements and supply chain security audits. 
  • Lack of security updates. Millions of IoT devices continue running firmware that is years old, with no mechanism for over-the-air updates. Every known, unpatched vulnerability in a deployed device is an open door for attackers. 

European regulations  

The EU has moved faster and more decisively than any other major regulatory body in setting binding cybersecurity requirements for connected products. Here is what embedded manufacturers operating in – or selling into – Europe need to know. 

Cyber Resilience Act (CRA) 

The Cyber Resilience Act is the most consequential European regulation affecting connected and embedded products today. It covers virtually all digital devices and embedded systems sold on the EU market. 

The CRA requires manufacturers to: design products with security from the first day of development (secure-by-design), actively manage vulnerabilities throughout the product’s supported life, deliver security updates for the entire operational lifecycle, produce and maintain a Software Bill of Materials (SBOM), document security architecture and risk assessments, and implement incident response and mandatory reporting processes. 

For embedded electronics manufacturers, this means one thing above all: a Secure Software Development Lifecycle (Secure SDLC) must become an integral part of the design process, not a last-minute addition before deployment. 

NIS2 Directive 

The NIS2 Directive targets operators of critical infrastructure, but its reach extends further than many suppliers expect. 

Because NIS2 mandates supply chain security, any embedded or IoT technology supplier to a NIS2-regulated customer must demonstrate cybersecurity maturity. Security audits of technology suppliers are becoming a standard feature of industrial and critical infrastructure procurement processes. NIS2 emphasizes risk management, cyber resilience, executive accountability for cybersecurity, and supply chain security governance. 

RED Delegated Regulation 

The Radio Equipment Directive’s delegated regulation introduces mandatory cybersecurity requirements for all radio and wireless devices. This is a significant shift for embedded hardware designers –  particularly given the growing number of wirelessly connected devices across industrial and building automation sectors. 

US regulations 

The United States has a less centralized regulatory environment than the EU, but its technology standards carry enormous global influence, and in many sectors, compliance is enforced not by law but by the market itself. 

NIST Frameworks 

The National Institute of Standards and Technology has produced frameworks that underpin the majority of enterprise and industrial cybersecurity architectures worldwide: NIST CSF 2.0, covering identify, protect, detect, respond, and recover functions; NIST SP 800-82, with guidelines specific to industrial control systems (ICS/OT); and the NIST Secure Software Development Framework (SSDF), a practical guide to building security into the software development lifecycle. 

For embedded companies targeting enterprise customers or US federal infrastructure, alignment with NIST is not optional — it is a baseline expectation. 

FDA Cybersecurity Requirements 

The FDA’s cybersecurity requirements for connected medical devices illustrate clearly where the broader industry is heading. The FDA mandates SBOM, secure update mechanisms, vulnerability disclosure programs, and lifecycle cybersecurity management. 

The core message is universal – manufacturers are responsible for product security not just at the point of sale, but for the entire operational life of the product. This model of extended accountability is already spreading beyond medtech, and will eventually reach every segment of the embedded electronics industry. 

What does it mean for electronics manufacturers? 

These regulatory changes are not a future concern, they are already reshaping procurement, certification, and product architecture decisions today. Embedded manufacturers who fail to integrate compliance into their design process will face concrete market barriers: inability to obtain CE marking, exclusion from tenders, and certification failures. 

For companies operating in industrial electronics, IoT, medtech, and connected devices, this represents both a challenge and a genuine opportunity. The market increasingly needs engineering partners capable not only of building embedded products, but of guiding them through a complex compliance and cyber resilience journey. 
Back to list
Older Why Critical Infrastructure Must Be Designed and Built in Europe

Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *