Achieving regulatory compliance for connected devices is a fundamental condition of doing business for Original Equipment Manufacturers (OEMs) and asset operators. The proliferation of connected devices across the Industrial Internet of Things (IIoT) has changed manufacturing, energy, and supply chain operations. However, this hyper-connectivity has introduced unprecedented cybersecurity risks, prompting governments worldwide to implement stringent regulatory frameworks. Inspections in regulated industries have doubled over the past three years alone due to the increasing complexity of operations and the rapid introduction of new technologies.
For OEMs and asset operators, regulatory compliance is a fundamental condition of doing business. Here is a comprehensive guide to navigating the complex global landscape of regulatory compliance for connected devices.
1. The Global Regulatory Landscape
Understanding the regional nuances of compliance is critical for global manufacturers and energy providers. Regulations vary significantly across geographies, creating a complex web of requirements for connected devices.
| Region | Primary Regulations & Frameworks | Key Compliance Focus |
| Europe (EU) | Cyber Resilience Act (CRA), NIS2, EU Data Act, EU AI Act | Secure by design principles, standardized security baselines for critical infrastructure, and strict transparency for autonomous systems. |
| North America (US & Canada) | NIST 800-53/8183/882, NERC CIP, TSA Security Directive 2 | Power sector security standards and specific directives focused on combating ransomware in connected infrastructure. |
Global Liability
Across regions, there is a distinct shift in accountability. Regulatory bodies like the SEC are increasingly holding the board of directors and CEOs personally liable for cyber risk and compliance failures, elevating device security to a boardroom imperative.
2. Core Technical Pillars for Device Compliance
To achieve certification and adhere to these global standards, organizations must implement specific technical controls within their connected devices and operational technology (OT) environments.
A. Secure by Design & Digital Identity (PKI)
Regulations like the IEC 62443 standard and the EU Cyber Resilience Act mandate strong identity verification, encrypted communication channels, secure software patching, and over-the-air update verification. To achieve this, organizations are utilizing Public Key Infrastructure (PKI). PKI embeds a unique digital certificate (a “birth identity” or fingerprint) into every connected product: whether it is a control system, smart meter, or connected vehicle. This ensures a zero-trust architecture, where every device must authenticate itself before communicating.
B. Supply Chain Transparency & SBOMs
Supply chain security is a massive regulatory focus. Asset owners are now making security a strict condition during the procurement and RFQ (Request for Quote) processes. Manufacturers must provide full visibility into the Software Bill of Materials (SBOM), clear vulnerability disclosure policies, and defined responsibilities for operating system patch management.
C. Data Provenance & Auditability
In highly regulated sectors like pharmaceuticals (governed by GxP and GMP standards), the ability of a connected system to take action requires extreme transparency. Compliance demands strict data provenance, audit trails, and explainability to prove exactly who touched a document or device, what they did, and when they did it. Regulators require a tamper-evident chain of custody for all digital interactions to ensure that connected devices and AI agents are making decisions based on validated, uncorrupted data.
3. Strategies for Bridging Security and Compliance
A common challenge in the industry is treating compliance as a simple checklist. Experts warn that compliance does not necessarily equal security; rather, regulations are often “lagging indicators” that address the threats of yesterday (such as ransomware) rather than the advanced threats of tomorrow.
To build an agile and compliant connected ecosystem, companies should adopt the following strategies:
- Adopt International Standards: Leveraging frameworks like IEC 62443 allows organizations to procure assets that already have security embedded and certified. This moves organizations away from traditional reactive testing and extends the secure, compliant lifespan of the technology.
- Implement Robust Network Segmentation: For legacy devices that cannot support modern compliance controls, operators must rely on the Purdue Model, firewalls, and unidirectional data diodes to segment the OT network from the IT network and the public internet. Diodes offer hardware-enforced, one-way data transfers that meet strict compliance demands without adding continuous audit overhead.
- Merge Security and Compliance: Organizations should view compliance audits not as a painful burden, but as a mechanism to demonstrate and validate their actual security state. The most successful organizations force a collaboration between IT and OT teams, ensuring that regulatory checklists actually translate into defensible network architectures.
Conclusion
Achieving regulatory compliance for connected devices is a critical necessity driven by severe financial penalties, executive liability, and critical safety risks. By embedding digital identities, demanding SBOM transparency, and aligning with frameworks like IEC 62443 and the CRA, manufacturers can turn regulatory compliance from a complex burden into a secure, competitive global advantage.
Sources and Session References
The information in this article was extracted directly from the following sessions hosted by IIoT World:
- Bridging IT & OT Without Compromising Security: Lessons from the Field (ICS Cybersecurity Day) – Sponsored by KeyFactor: IEC 62443 standards, Cyber Resilience Act (CRA), PKI (Public Key Infrastructure) for digital identity, SBOM visibility, and patch management.
- Cybersecurity in the Energy Industry: Protecting Critical Infrastructure in a Connected Era (Energy Day) – Sponsored by KeyFactor: Device identity/fingerprinting, regulations as lagging indicators, and Zero Trust architecture.
- Standing up to Cyber Risk in Operational Technology in Energy (ICS Cybersecurity Day) – Sponsored by Fortinet: SEC board liability and CEO accountability, NERC CIP, TSA Security Directive 2, NIS2, and merging security with compliance.
- Agentic AI in Manufacturing: From Copilots to Autonomous Systems (AI Frontiers) – Sponsored by Cybus and Infinite Uptime, Inc.: GxP and GMP compliance in Pharma, the EU AI Act, audit trails, and explainability.
- Preparing Your Data Layer for AI-Driven Product and Supply-Chain Decisions (AI Frontiers) – Sponsored by Adlib: The doubling of inspections in regulated industries, data provenance, and tamper-evident chain of custody.
- Data Sovereignty in Manufacturing: Building Trust with EU Reference Architectures (Manufacturing Day) – Sponsored by Cybus: The EU Data Act, the EU AI Act, and data sharing compliance.
- Securing OT Data Transfers: Proven Strategies for Efficiency and Protection (ICS Cybersecurity Day) – Sponsored by OPSWAT: The Purdue Model, network segmentation, and utilizing data diodes to meet compliance without disrupting operations.
Frequently Asked Questions
1. What are the primary regulations for IIoT devices in Europe?
The European Union regulates connected devices through the Cyber Resilience Act (CRA), which mandates secure by design principles. Additionally, the NIS2 Directive standardizes security for critical infrastructure, while the EU AI Actand EU Data Act govern autonomous systems and data access.
2. How do US regulations impact critical infrastructure security?
In the United States, compliance is driven by industry-specific mandates such as NERC CIP for the power sector. Following major security breaches, the TSA issued Security Directive 2 to combat ransomware in connected infrastructure, often supported by NIST frameworks like 800-53.
3. What is the role of PKI in device compliance?
Public Key Infrastructure (PKI) is used to meet standards like IEC 62443. It embeds a unique digital certificate or “birth identity” into a device, enabling a zero-trust architecture where every connected product must authenticate its identity before communicating.
About the author
