By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: GlobalSignPublished November 19, 2025

TL;DR: Global supply of connected devices is projected to rise from 7.740 billion today to 29 billion by 2030, while the EU Cyber Resilience Act would impose mandatory security requirements across the full product lifecycle, according to GlobalSign and the European Commission. The policy shift matters because device identity, certificate management, and vulnerability handling are becoming governance problems, not just engineering tasks.


At a glance

What this is: This is a policy and lifecycle-security analysis of how Matter and the proposed EU Cyber Resilience Act are reshaping connected device security.

Why it matters: It matters because device authentication, certificate trust, and long-lived credentials now sit inside broader identity governance decisions that affect IoT, infrastructure, and security programmes.

👉 Read GlobalSign's analysis of Matter, PKI, and the Cyber Resilience Act


Context

Connected device security is increasingly a lifecycle and governance problem, not just a device hardening problem. As IoT populations grow, the trust model has to cover onboarding, authentication, update integrity, vulnerability disclosure, and end-of-life handling, because weak identity controls on devices become persistent attack paths.

The article also sits at the intersection of IoT security and identity governance. Certificates, PKI, and device trust anchors are the identity layer for connected devices, so teams responsible for IAM, PAM, and NHI governance should treat device identity as part of the same control system that manages secrets, workloads, and service accounts.


Key questions

Q: What breaks when connected devices do not have a defined identity lifecycle?

A: Devices that cannot be issued, rotated, revoked, and retired through a controlled lifecycle become permanent trust risks. In practice, that leads to stale certificates, unreliable revocation, and devices that remain authenticated long after support ends. The result is an attack surface that grows silently across the fleet and is difficult to govern at scale.

Q: How should organisations govern IoT devices as part of identity security?

A: Treat IoT devices as governed identities, not just endpoints. Assign each device a unique identity, bind onboarding to certificate-based authentication, define revocation criteria, and track which service chains depend on that identity. The governance goal is to make device trust explicit, reviewable, and removable when the device is retired, compromised, or no longer authorised.

Q: What do security teams get wrong about PKI for connected devices?

A: Teams often assume certificates solve trust on their own. PKI only provides durable identity if issuance, renewal, revocation, and inventory are governed continuously. Without those controls, certificates become long-lived credentials that are difficult to retire and easy to overlook in large device populations.

Q: Who is accountable when a connected device remains vulnerable after sale?

A: Accountability should sit with both the manufacturer and the operator, but the proposed EU Cyber Resilience Act shifts more responsibility to the manufacturer for lifecycle security, updates, and vulnerability handling. Operators still need procurement and monitoring controls, but they should demand evidence of support, disclosure, and update commitments before deployment.


Technical breakdown

Matter and device interoperability: why trust now has to scale

Matter is designed to make connected devices interoperable across ecosystems, but interoperability only works when trust is portable and consistent. That means device identity, certificate issuance, and authentication have to be standardised enough that different platforms can recognise the same device without weakening assurance. In practice, the security challenge shifts from isolated onboarding flows to lifecycle trust management across manufacturers, ecosystems, and users. The key issue is not whether the device connects, but whether it can be authenticated, updated, and decommissioned without creating a permanent trust gap.

Practical implication: align device onboarding with a consistent certificate and identity model rather than ad hoc per-platform pairing.

The Cyber Resilience Act and lifecycle security controls

The proposed EU Cyber Resilience Act pushes security obligations into planning, design, production, delivery, maintenance, and support. That matters because it treats vulnerabilities as lifecycle obligations, not just post-sale defects. Manufacturers are expected to document risks, handle actively exploited vulnerabilities, and keep updates available for years. For practitioners, the important shift is governance: device security can no longer be validated only at procurement or deployment. It has to be enforced through updateability, disclosure handling, and product support windows that match the device’s operational life.

Practical implication: require evidence of secure update processes, disclosure handling, and support commitments before approving connected devices.

PKI as the identity backbone for connected devices

Public key infrastructure remains one of the few mechanisms that can provide scalable device identity for IoT fleets. Certificates allow devices to prove identity cryptographically, which is more durable than shared passwords or static secrets in high-volume environments. But PKI only helps if certificate issuance, rotation, revocation, and renewal are governed properly. Without lifecycle controls, certificates can become long-lived trust artefacts that outlast their intended risk window. For teams managing fleets of devices, PKI is not just a technical layer. It is an operational identity control that has to be measured and maintained.

Practical implication: inventory certificate lifetimes, automate renewal, and tie revocation to device offboarding.


NHI Mgmt Group analysis

Device identity is becoming the control plane for connected product security. The article shows that the real issue is no longer simply whether a device is vulnerable, but whether its identity can be established, maintained, and revoked across its life. When millions of devices depend on certificates and update paths, security depends on lifecycle governance as much as on hardware design. Practitioners should treat device identity as an identity programme concern, not a niche engineering detail.

Lifecycle regulation is shifting accountability from buyers to manufacturers. The Cyber Resilience Act model expects security to exist from design through maintenance, which closes the gap between procurement controls and operational reality. That changes how buyers assess risk, because a secure procurement decision now depends on evidence of support windows, vulnerability handling, and update availability. Practitioners should require lifecycle assurances, not just feature checklists.

PKI is the practical bridge between IoT scale and security assurance. A device fleet cannot be protected with manual trust decisions at enterprise scale, especially when interoperability is the goal. Cryptographic identity gives teams a way to authenticate devices consistently, but only if certificates are managed with the same discipline as other credentials. Practitioners should align IoT certificate management with identity governance rather than treating it as isolated infrastructure.

Connected device governance will increasingly resemble NHI governance. IoT devices, like service accounts and workloads, are non-human entities that need identity issuance, rotation, revocation, and offboarding controls. The governance failure is the same in both cases: credentials that persist beyond their useful life create an unmanaged attack surface. Practitioners should unify device identity policy with broader NHI lifecycle controls.

What this signals

Lifecycle enforcement will become the dividing line between deployable device fleets and unmanaged trust sprawl. As connected products scale, teams will need to prove that identity is not just assigned at onboarding but governed through maintenance and retirement. That makes certificate lifecycle management, revocation evidence, and device offboarding part of the same operating model that governs NIST SP 800-53 Rev 5 Security and Privacy Controls.

Device identity should now be measured with the same discipline applied to non-human identities. The practical question is whether every device has a current trust anchor, a documented support window, and a revocation path when it is no longer safe to use. In our view, that is the operational bridge between IoT security and broader identity governance.

Because IoT fleets behave like large populations of managed non-human entities, the programme risk is not only compromise but ungoverned persistence. If a device credential cannot be rotated or retired cleanly, the control gap looks less like a product weakness and more like an identity lifecycle failure.


For practitioners

  • Define a device identity lifecycle policy Map issuance, renewal, rotation, revocation, and end-of-life steps for every connected device class, including consumer and industrial fleets. Use the same governance model you apply to non-human identities so that device trust is not left to ad hoc provisioning. Where possible, link policy enforcement to certificate management and offboarding workflows.
  • Require lifecycle evidence from suppliers Ask manufacturers for support windows, vulnerability disclosure processes, and secure update commitments before approval. The Cyber Resilience Act is moving security expectations into the product lifecycle, so procurement should verify that devices can be maintained securely after deployment. Tie acceptance criteria to documented maintenance and update availability.
  • Automate certificate renewal and revocation Use PKI workflows that can renew certificates before expiry and revoke them when devices are decommissioned, compromised, or re-provisioned. Manual handling does not scale to billions of devices, and stale certificates become standing trust artefacts. Build renewal, revocation, and inventory checks into operational monitoring.
  • Align IoT security with identity governance Bring IoT trust anchors, onboarding flows, and support-life management into the same control review cycle as IAM and NHI programmes. That makes it easier to identify where device credentials, certificates, or authentication paths are drifting beyond policy. Reference NIST SP 800-53 Rev 5 Security and Privacy Controls for access and integrity control mapping where relevant.

Key takeaways

  • Connected device security is shifting from one-time pairing to continuous lifecycle governance.
  • The proposed Cyber Resilience Act makes vulnerability handling, update support, and documentation part of security accountability.
  • PKI remains central to IoT trust, but only if certificate issuance, renewal, revocation, and offboarding are managed as identity controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Device onboarding and authentication are central to Matter-based trust.
NIST SP 800-53 Rev 5IA-5Certificate management is the core control issue in IoT identity governance.
CIS Controls v8CIS-5 , Account ManagementDevice identity lifecycle maps to managing non-human accounts and credentials.
ISO/IEC 27001:2022A.8.2Connected device lifecycle security depends on protecting information assets through ownership and handling.
GDPROnly relevant where connected devices process personal data in consumer or smart home settings.

Assess whether device identity and telemetry handling create personal data obligations before deployment.


Key terms

  • Vendor Identity Lifecycle: The full sequence of onboarding, entitlement assignment, monitoring, and offboarding for a vendor account or integration. For third parties, the lifecycle matters because access often outlives the immediate business need unless revocation is verified and repeated as relationships change.
  • Public Key Infrastructure: A system for issuing and managing digital certificates that let devices prove who they are cryptographically. In connected environments, PKI supports scalable trust, but only when issuance, renewal, revocation, and inventory are governed as ongoing operational controls.
  • Lifecycle Security: Lifecycle security is the practice of governing a system across its full life, from creation and deployment to update and retirement. For AI, it means security cannot stop at launch because risk can enter through training data, configuration, access, monitoring, and decommissioning.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The article explains how the CSA Matter standard is intended to improve interoperability across smart home ecosystems.
  • It outlines the proposed EU Cyber Resilience Act obligations for planning, design, development, delivery, maintenance, and support.
  • It summarises how manufacturers would need to document risks, notify exploited vulnerabilities, and provide updates for at least five years.
  • It points to PKI and certificate-backed identity as the practical security model for connected device trust.

👉 GlobalSign's full article covers the standards context, lifecycle obligations, and certificate-based trust model in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need a stronger control model for non-human credentials across modern security programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org