Why IoT company boards must treat cybersecurity as a core fiduciary duty. Any oversight is no longer optional in today's risk-driven regulatory landscape

The core challenge? Scaling security to match your product's complexity.

If your team is still relying on manual, point-in-time penetration testing, every new product variant, every minor firmware update, and every regional configuration change adds exponential overhead. This leads to a dangerous trade-off: compromising on the depth or frequency of testing to meet tight launch deadlines.

What do EU CRA fines really mean for your business? This post reveals the true financial risks of non-compliance—and the steps smart IoT companies take to stay protected. Find out how to avoid penalties before it’s too late

In the competitive world of IoT, CEOs and CFOs often view cybersecurity through the narrow lens of cost—the expense of compliance, audits, and security teams. This perspective is outdated, especially as connected devices become integral to customers’ lives and businesses.

For Product and Engineering Managers in IoT manufacturing, navigating the complex landscape of cybersecurity compliance is a constant challenge. Among the most asked standards, IEC 62443-4-2 stands out, defining technical security requirements for control system components.

Read this post how to transform compliance from a reactive, laborious process into a proactive, efficient, and deeply integrated part of your development lifecycle.

Compliance officers at IoT device manufacturing organizations must act immediately to prepare for the EU Radio Equipment Directive (RED) and its new cybersecurity requirements, which became mandatory on August 1, 2025. The new EN 18031 series of standards provides the framework for demonstrating compliance. A successful strategy focuses on proactive integration of these requirements into the product lifecycle.

The alarm clock rang on August 1st, 2025, and everything changed. Europe's IoT compliance shifted from voluntary to mandatory overnight. With RED requirements now enforced and CRA coming in 2027, IoT manufacturers face a new reality: get compliant or lose market access. Discover why smart companies are turning compliance challenges into competitive advantages.

The European Union has taken decisive action to address cybersecurity issues by introducing new regulations like the Radio Equipment Directive (RED) and the Cyber Resilience Act (CRA). We are proud to be supported by the European Union in developing our innovative technology further.

The goal is to develop a product prototype that is easy to use and allows users to self-assess their product’s compliance with the security standards and regulations. The grant empowers us to further our mission of protecting customers and society from cyber incidents by making IoT cybersecurity testing easy and automated. 

In the Internet of Things, attackers try to find the weakest links wherever possible. We, the security testers, should also look at the whole system. Unfortunately, assessments often stop at the device itself, excluding backend cloud services and applications.

Software Bill Of Materials (SBOM) is hailed as the solution to managing cybersecurity. It brings transparency to the used software components and allows you to check if published vulnerabilities may be present in your system. This is great, but SBOM leaves many aspects of product security unaddressed.

The security of an Internet of Things (IoT) product, or any networked system, has two dimensions. First, there are security functions such as user authentication and data encryption. Second, there is the quality aspect of security, as low-quality software easily contains vulnerabilities.

Informal history of network protocol security: from Garden of Eden to Zero Trust.

IoT cybersecurity regulations are essential for protecting users and infrastructure, but they can also create significant barriers to entry for companies in the IoT industry. Here's a breakdown of the key challenges

Summer of Things

At Test of Things, we are building the future platform for securing the Internet of Things. We are looking for two interns for the summer 2025. Trainers would work in the R&D team on tasks like security assessment of IoT devices, development of security testing tools, participation in evaluation projects, and working with our open-source platform Toolsaf (https://github.com/testofthings/toolsaf).

The world of connected devices is booming, and the critical need for robust cybersecurity comes with it.  Two key players in this arena are EN 18031 (Radio Equipment Directive (RED)) and the EU Cyber Resilience Act (CRA).  While both aim to improve the security of our digital lives, they approach the challenge from different angles.  Let's break down the key differences and explore how they relate.

Security statement is a machine readable description of system’s security characteristics, like network nodes (devices, gateways, applications and servers), network interfaces (ports and services), connections between the network nodes and services, web interfaces, authentication methods, SBOMs data encryption at rest (and in transit) and so on.

Once those have been defined, one can test and verify it.

There are numerous security requirement specifications across various industries and regions (US, EU, UK, SGP for example). Vendors need to comply with many of them simultaneously to maximise their market potential.

But how much do the security standards differ from each other?

Tackling vulnerabilities is at the top of the CRA’s priority list. Device manufacturers and developers will need to offer customers support for the expected product lifetime or five years, whichever is shorter. During that period manufacturers are obliged to address and correct security flaws promptly.

In this post, we focus on EU Cyber Resilience Act’s essential security requirements.

The Cyber Resilience Act (CRA) is a groundbreaking piece of legislation designed to enhance the cybersecurity of digital products and services made available in the EU. The CRA will enter into force on December 10^th, 2024