The rapid expansion of connected devices has fundamentally changed how organisations operate. From smart sensors and industrial controllers to gateways, cameras, and embedded systems, IoT has become integral to modern business. Digital transformation is accelerating the adoption of IoT technologies, increasing the attack surface and making IoT security a critical component of modern cybersecurity strategies. Yet as these environments grow, a dangerous reality has emerged: many organisations no longer know exactly what is connected to their networks.

For more than three decades, cybersecurity innovation and investment have followed a familiar rhythm. Each major wave—network security, endpoint security, identity, cloud, and data—spawned new platform winners and reshaped the M&A landscape. Today, we stand at the threshold of the next foundational shift. The digital and physical worlds have converged to such an extent that machines—not humans—are the primary operators of enterprise networks. They power manufacturing lines, drive vehicles, control energy infrastructure, guide medical systems, and increasingly act autonomously through embedded AI. 

When UNECE WP.29 cybersecurity regulations came into force, many automotive manufacturers initially viewed them as a European compliance requirement. In 2025, that perspective is no longer sufficient. WP.29 has become a global benchmark, influencing how connected vehicles are designed, secured, and maintained throughout their lifecycle. The regulation has a profound impact on the entire automotive sector, shaping cybersecurity practices and compliance requirements across multiple countries worldwide.

When UNECE WP.29 came into force, it transformed the global automotive industry. For the first time, cybersecurity became a mandatory requirement for modern vehicles — not a marketing feature, not a technical add-on, but a regulated obligation. WP.29 forced manufacturers to rethink how vehicles were designed, updated and secured, requiring formal Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS) across the entire vehicle lifecycle. This marked a significant global regulatory shift, as vehicle regulations now establish mandatory cybersecurity management systems, compliance protocols, and safety standards to ensure the security and reliability of connected vehicles worldwide.

Zero Trust has become one of the most widely adopted security models of the past decade, yet its application to IoT and edge environments is often misunderstood. Zero-trust security is a cybersecurity approach that denies access to an organization’s digital resources by default. While the principle of “never trust, always verify” is well established in IT, applying it to fleets of autonomous devices operating at the edge introduces a new set of challenges.

The automotive industry is undergoing a profound transformation. With vehicles now functioning as software-defined, connected platforms, manufacturers face unprecedented security challenges. From over-the-air (OTA) updates and telematics to ADAS, battery systems and mobility services, every vehicle today relies on digital identities and cryptographic trust.

Automotive programs are moving faster than many engineering teams planned for. Regulatory pressure — from UN R155/R156 (WP.29) and ISO/SAE 21434 to the forthcoming EU Cyber Resilience Act — is reshaping expectations for how identity, signing, and software integrity are managed across the entire ECU and OTA lifecycle. At the same time, SERMI is redefining workshop and diagnostic access, introducing strong authentication into processes that were previously loosely governed.

In a world where billions of devices now shape our connected reality, IoT security has evolved from an IT problem to a board-level priority. As the iot ecosystem grows—an interconnected network of devices, systems, and infrastructures—comprehensive iot security solutions have become essential to protect, manage, and scale these environments. Yet despite the growing awareness, one challenge remains stubbornly persistent — the management and protection of unmanaged devices. These devices, often invisible to traditional IT systems, create blind spots that attackers exploit with increasing precision.