IoT Meets Regulation: Cybersecurity as a Non-Negotiable

As it has matured and become more prevalent, the Internet of Things (IoT) is increasingly a regulated domain rather than a technological frontier. A wide range of regulatory frameworks apply in numerous territories around the globe, including the EU Cyber Resilience Act. The sum of these is that manufacturers must now take concrete steps to improve the cyber resilience of their products. Whether it’s communications integrity, or data confidentiality, these measures are a baseline requirement to enter many markets around the world.  

Regulation as a Catalyst for Trust

Regulators are making cybersecurity an embedded obligation. Devices must now be designed and maintained with safeguards for data protection, privacy, and operational resilience.  

This means the likes of secure device identity and lifecycle protection, which prevents device IDs from being cloned or tampered with. If threat actors are successful with these actions, they may be able to capture sensitive data from a compromised IoT device.  

Another basic safeguard is in the ability to detect and patch vulnerabilities through authenticated firmware updates. IoT devices can remain in place for years or even decades, depending on the use case. It’s highly likely that in that time, firmware vulnerabilities will be identified. Having effective ways to patch these flaws ensures that devices remain safe against evolving threats, as well as from compromised updates themselves. 

Cyber resilience of these devices is also impossible without fundamentally being able to trust the veracity of their communications, as well as the confidentiality of the data they’re handling and storing. Effective encryption, alongside management of the cryptographic keys used, is essential in doing this.  

Compliance, therefore, is increasingly about reinforcing long-term trust in connected products, enabling sustainable IoT adoption. 

Hardware-Based Trust Anchors

Strong device identity is at the heart of compliance. Thales addresses this need through embedded eSIM (eUICC) and Secure Element (eSE) technologies, creating hardware-based trust anchors that: 

• Securely protect device identifiers, preventing cloning and unauthorised use
• Guarantee the authenticity and integrity of firmware updates
• Safeguard sensitive data throughout the device lifecycle 

By embedding these capabilities from day one, OEMs accelerate time-to-market for compliant devices while simplifying the challenges of global deployment. 

Building Resilience Across the Lifecycle

Cybersecurity in IoT is an ongoing discipline. Thales supports this with its Build, Run, Protect framework, which ensures security and compliance across every phase of a device’s lifecycle. 

• Build – In-factory provisioning that reduces complexity and optimises device battery life
• Run – Adaptive connectivity that keeps devices secure online
• Protect – Continuous updates and protection through services like PKIaaS and secure Firmware-Over-the-Air (FOTA) updates 

This lifecycle approach ensures that as regulations evolve and new threats emerge, IoT deployments remain both compliant and resilient. 

Proven Market Leadership

Thales is the world’s #1 provider of eSIM subscription management solutions, with more than 400 projects delivered and partnerships with over 100 OEMs globally. As a leader in GSMA standards, including SGP.32 for eSIM interoperability and IoT SAFE cybersecurity specifications - Thales is actively shaping the regulatory frameworks that define the industry’s future. This leadership ensures that enterprises adopting Thales solutions are not only compliant today but future-ready. 

From Compliance to Confidence

As regulatory scrutiny increases, true leaders will be those who view compliance not as an obligation but as an opportunity to differentiate. By embedding Thales’ trusted solutions and lifecycle services, CIOs, CTOs, and product leaders can build IoT ecosystems that go beyond regulation – delivering resilience, reliability, and long-term customer confidence.