Security is not a constraint on speed to market. It is the enabler of access.
In an era when cybercrime extracts more wealth from the global economy than most nations produce, the European Union has chosen regulation as its instrument of structural repair. The EU Cyber Resilience Act, covering the vast majority of networked devices, does not merely impose penalties on the negligent — it quietly rewards the prepared, transforming compliance into a form of market access that compounds over time. Those who build security into their products from the beginning are not simply avoiding fines; they are earning entry into the world's most demanding marketplace while others are turned away at the door.
- Cybercrime costs the global economy $5.5 trillion annually — not because of elite hackers, but because billions of devices were shipped with security treated as optional.
- Starting September 2026, the EU CRA mandates five-year security updates, 72-hour breach reporting, and security-by-design for over 90% of IoT products, with penalties reaching €15 million or 2.5% of global turnover.
- Compliance costs average €100,000 per product line — a steep but rational investment when weighed against penalty exposure and the structural prize of exclusive access to Europe's market.
- Manufacturers who move early gain a compounding advantage: as the compliance bar rises, non-compliant competitors are locked out, turning regulatory burden into a durable moat.
- Specialized providers like Kigen — whose eSIM platform spans 250+ networks and demonstrated 72-hour vulnerability response in 2024 — offer manufacturers a proven path to accelerate compliance without building every capability from scratch.
The global economy loses $5.5 trillion annually to cybercrime — not through sophisticated attacks, but through a structural failure: connected devices shipped with security as an afterthought. At the MWC IoT Summit in Shanghai this June, Kigen's Jean-Louis Carrara made a counterintuitive case to an audience of manufacturers: the EU Cyber Resilience Act is not a burden to be managed. It is a generational opportunity.
The regulation covers more than 90% of IoT products. Beginning September 2026, manufacturers must provide five years of security updates, report confirmed breaches within 72 hours, and demonstrate that security was engineered in from the start — not retrofitted. Penalties reach €15 million or 2.5% of global annual turnover. For any company building a product today with plans to sell in Europe by 2027, this is already an urgent present reality.
The compliance math is stark: roughly €100,000 per product line against €15 million in potential penalties. But Carrara's deeper argument was about access. As the compliance threshold rises, the European market becomes available only to those who have done the work. Early movers don't just avoid penalties — they inherit a structural advantage that compounds as competitors fall behind.
Kigen's own conduct illustrates the principle. When significant eSIM vulnerabilities emerged across the industry in 2024, the company identified the problem and released a patch within 72 hours — sharing it openly, without paywalls, in coordination with the GSMA and aligned with ENISA guidelines. Carrara was direct: 'We did not wait for regulation to demand it. We acted because it was right.'
The technical foundation is already in place. Kigen's platform delivers autonomous over-the-air security updates across entire device fleets, supports secure provisioning at manufacturing scale, and operates across a global operator ecosystem. The company chairs the GSMA eSIM Working Group, actively raising the security floor for the entire industry.
Three forces are converging: AI is transforming manufacturing, advanced connectivity is extending that transformation globally, and regulatory-grade security is the condition that makes all of it trustworthy. The window for first-mover advantage is open — but not indefinitely. The manufacturers who define the next decade will be those who recognize where deep expertise already exists and accelerate by partnering with it.
The global economy loses 5.5 trillion dollars annually to cybercrime—a sum that exceeds the GDP of every nation on Earth except the United States and China. The culprit is not sophisticated hacking so much as a structural failure: billions of connected devices shipped to market with security bolted on as an afterthought, if at all. At the MWC IoT Summit in Shanghai this June, Jean-Louis Carrara, senior vice president of global sales at Kigen, stood before an audience of manufacturers and made a counterintuitive argument. The EU Cyber Resilience Act, the regulation that will reshape how the world builds connected devices, is not a compliance burden. It is a once-in-a-generation opportunity.
The Cyber Resilience Act covers more than 90 percent of all IoT products that contain digital elements—sensors, gateways, industrial equipment, the smart devices that populate homes and factories. If it connects to a network, it falls under the mandate. Starting in September 2026, manufacturers must provide security updates for five years after a product ships. They must report confirmed security breaches within 72 hours. They must demonstrate that security was engineered into the product from the first line of code, not added later. The penalties for failure are severe: up to 15 million euros, or 2.5 percent of global annual turnover, whichever is larger. For any company developing a product today with plans to sell it in Europe in 2027, compliance is not a future problem. It is a present one.
The arithmetic of compliance is straightforward. Independent analysis puts the average cost of bringing a single product line into compliance at roughly 100,000 euros. Against potential penalty exposure of 15 million euros, the choice is clear. But Carrara pressed the argument further, and this is where the reframe becomes consequential. As the compliance threshold rises, access to the European market becomes selectively available—available only to manufacturers who have done the work. For those who move early, this creates a structural advantage that compounds over time. Security is not a constraint on speed to market. It is the mechanism that unlocks access to the world's most demanding, and most lucrative, markets.
Kigen's own history illustrates the point. The company's eSIM technology—the secure digital SIM card that allows devices to switch between cellular networks—operates across more than 250 terrestrial and satellite networks worldwide. Hundreds of millions of devices rely on it. But scale alone does not equal trust. In 2024, significant vulnerabilities were discovered in eSIM frameworks used across the industry. Kigen identified the problem and, within 72 hours, had developed and released a patch. The company shared it openly, without paywalls, in full coordination with the GSMA and aligned with ENISA disclosure guidelines. Carrara was explicit about the reasoning: "We did not wait for regulation to demand it. We acted because it was right." The industry's security, he argued, is only as strong as its weakest point. Kigen's response supported the coordinated effort to develop countermeasures and mitigate risk. The company continues to contribute to standards bodies, advancing the security floor for the entire ecosystem.
The technical capability to meet the regulation is already proven. Kigen's platform delivers autonomous over-the-air security updates—patches that can be deployed across an entire installed fleet of devices without physical intervention. Native IoT profile management enables secure provisioning at manufacturing scale. Interoperability across the global operator ecosystem ensures devices function wherever customers need them. Kigen chairs the GSMA eSIM Working Group, actively advancing standards that raise security requirements industry-wide. The company is backed by Arm, SoftBank Vision Fund 2, SBI Group, and Salica Investments, and trusted by leading global brands in consumer electronics, energy, automotive, logistics, and industrial automation.
The convergence of three forces is creating the inflection point Carrara described. Artificial intelligence is transforming how products are manufactured. Advanced connectivity is extending that transformation to every corner of the globe. And regulatory-grade security is the condition that makes all of it trustworthy. The window for first-mover advantage is open, but it will not remain open indefinitely. The manufacturers who will define the next decade are those who recognize where deep, specialized expertise already exists—and who accelerate their path to market by partnering with it rather than attempting to build every capability in-house. The regulatory framework is clear. The technical capability is proven. The question now is which manufacturers will move first.
Citações Notáveis
We did not wait for regulation to demand it. We acted because it was right—and because the industry's security is only as strong as its weakest point.— Jean-Louis Carrara, SVP Global Sales at Kigen
A Conversa do Hearth Outra perspectiva sobre a história
Why does Kigen frame this as an opportunity rather than a burden? Isn't compliance always expensive?
Because the cost of compliance is fixed—roughly 100,000 euros per product line. But the cost of non-compliance is catastrophic: up to 15 million euros in penalties. Once you've paid the compliance cost, you have something most competitors won't have: access to the European market. That's structural advantage.
But won't every manufacturer eventually comply? Won't the advantage disappear?
Eventually, yes. But "eventually" is the key word. The regulation takes full effect in September 2026. A manufacturer who complies today has a two-year head start on competitors who wait. In IoT, that's a generation. They'll have market share, customer relationships, and proven interoperability. Late movers will be playing catch-up.
You mentioned Kigen's response to the eSIM vulnerability. Why did they patch it so quickly, before regulation required it?
Because the industry's security is only as strong as its weakest point. If Kigen's eSIMs are vulnerable, every device using them is vulnerable. The company understood that its own long-term trust depends on the entire ecosystem being secure. That's not altruism—it's enlightened self-interest.
So the real competitive advantage is trust?
Trust demonstrated under pressure. When stakes are highest, when vulnerabilities are real, when the industry is watching—that's when you show who you are. Kigen acted within 72 hours, coordinated with standards bodies, shared the patch openly. That builds the kind of trust that survives regulatory scrutiny and customer due diligence.
What happens to manufacturers who don't have access to specialized security expertise?
They have two choices: build it in-house, which is slow and expensive, or partner with someone who already has it. The regulation creates an incentive to partner. The manufacturers who move fastest are those who recognize they don't need to own every capability—they need to own the relationships with the companies that do.