Starting in 2027, every connected device sold in the European Union will need to receive security updates for its entire lifetime. That's the mandate of the EU Cyber Resilience Act (CRA), and for most IoT device manufacturers, it represents a significant new operational burden. Building and maintaining firmware update infrastructure isn't trivial. It's expensive, it requires ongoing cloud costs, and most hardware companies would rather spend their engineering time on the product itself.

Norwegian chipmaker Nordic Semiconductor just removed that problem. The company announced a lifetime flat-rate FOTA (Firmware Over-the-Air) and device management license through its nRF Cloud platform, available across its entire low-power wireless portfolio. One upfront fee. Lifetime firmware updates. No ongoing cloud charges.

Announced at Embedded World in Nuremberg, the move positions Nordic Semiconductor not just as a chip vendor but as the compliance infrastructure layer for the IoT industry's new regulatory reality.

The EU Cyber Resilience Act is one of those regulations that sounds straightforward until you try to implement it. In essence: if you sell a connected device in Europe, you must provide security patches for any identified vulnerabilities throughout the device's expected lifetime. Not for two years. Not until the next model ships. For the device's lifetime.

For a company making a smart sensor that's expected to operate for 10 or 15 years, that's a decade-plus commitment to maintaining update infrastructure. For startups and mid-sized hardware companies, building that infrastructure from scratch could cost more than the firmware updates themselves.

"Preparing for compliance with the EU Cyber Resilience Act is going to add significant operational overhead and project complexity for device manufacturers," explains Francois Baldassari, founder of Memfault and now VP of Software Services at Nordic Semiconductor. "With the enforcement of the CRA approaching quickly, Nordic is providing solutions that simplify and accelerate the compliance process."

Nordic Semiconductor's nRF Cloud is integrated directly with the company's nRF Connect SDK, its unified software development kit. That pre-integration is the key advantage. Device manufacturers using Nordic's chips don't need to bolt on a third-party FOTA provider or build their own. The update infrastructure comes with the silicon.

The capabilities list reads like a checklist of everything the CRA requires: approval workflows, immutable audit logs, staged rollouts with analytics, health monitoring, and rollback. Nordic isn't just offering firmware delivery. It's offering the entire compliance documentation stack.

Baldassari's presence at Nordic Semiconductor is worth unpacking. He founded Memfault, a device reliability and OTA update platform that became one of the most respected tools in embedded engineering. His move to Nordic Semiconductor (the company acquired Memfault's technology) signals that Nordic sees software services, not just hardware, as a growth engine.

That's a significant strategic shift for a company historically known for making really good low-power Bluetooth and cellular chips. By bundling FOTA and device management into its silicon offering, Nordic is moving up the value chain from component supplier to platform provider. The lifetime pricing model reinforces this: it creates a direct relationship between Nordic and the end device manufacturer that persists long after the chip is soldered onto a board.

For Nordic's competitors, including Espressif, Silicon Labs, and Qualcomm's IoT division, this sets a new standard. If one chip vendor bundles lifetime compliance into the purchase price, every other vendor will face the question: does your chip come with CRA compliance built in?

The genius of Nordic's approach is that it transforms a regulatory cost into a customer acquisition tool. Device manufacturers evaluating chip vendors now have a concrete reason to choose Nordic over alternatives: one decision eliminates an entire category of regulatory risk.

The US angle adds another dimension. The Cyber Trust Mark, America's equivalent labeling program for IoT device security, is voluntary for now but signals the direction of travel. By pre-integrating compliance for both EU and US frameworks, Nordic is positioning its customers for regulatory environments that haven't fully materialized yet. That kind of forward-looking infrastructure is exactly what hardware companies, which design products years before they ship, need.

Will every IoT manufacturer switch to Nordic? No. Chip selection depends on technical requirements, power budgets, connectivity protocols, and pricing. But for the growing segment of manufacturers who sell into European markets and want to minimize their CRA compliance burden, Nordic just made the decision a lot simpler.

There's a recurring pattern in tech regulation. A new rule creates compliance costs. The companies that build infrastructure to absorb those costs capture value from everyone else's pain. GDPR spawned a multi-billion-dollar privacy tech industry. The CRA is doing the same for IoT security.

Nordic Semiconductor is making a bet that it can be the default infrastructure provider for that transition. By embedding compliance into the chip itself, the company is ensuring that every device manufactured on its platform is CRA-ready from the moment it powers on. One fee. Lifetime coverage. For hardware companies staring down a 2027 deadline, that's not just a feature. It's a relief.