embedded world 2025 Security Highlights: Protect Everything, Then Prove It!

Cyber Resilience Act (CRA) posters hung over the NürnbergMesse center as a physical manifestation of the security considerations occupying ever greater space in the minds of the congregated vendors, with the sweeping cross-industry regulation raising expectations for any connected device or product. The timeline leaves no room to dawdle, with compliance due by December 11, 2027. Post-quantum readiness is another challenge, with device life spans forcing early integration, while hardware constraints in embedded devices demand creative solutions from chip manufacturers. Achieving adequate key space and optimized, yet adaptable processing in constrained devices is no small feat, but leaders like NXP and STMicroelectronics, which announced Post-Quantum Cryptography (PQC) through the microcontroller range around the event, are working quickly to provide sufficient Post-Quantum (PQ)-safe options to meet the diverse needs of embedded devices.

Regulation drives a burgeoning compliance ecosystem, with consultancy and test and report automation tools featuring prominently at the show. The timelines created by certification processes drive a strong desire for pre-certified options, with modular product components and white-labeling being the solutions to maintain an effective time to market for many manufacturers.

As well as changing the requirements for chip manufacturers, the requirement for PQ-safe crypto-agility—particularly for global vendors that may need to support as-yet-unconfirmed regional preferences, especially in Asia-Pacific—contributed to the prominence of Field Programmable Gate Arrays (FPGAs) and associated vendors at the show. While FPGAs can’t match the speeds of fixed hardware, their capacity to be redefined at the physical level eliminates the risks incurred by optimizing for a fixed algorithm, which may or may not be found vulnerable at a later stage. This shapeshifting ability can be taken still further with implementations like AMD’s Dynamic Function eXchange (DFX), allowing mutually exclusive functions to run on the same hardware at different stages of operation, allowing manufacturers to get more out of their FPGAs by reusing the same space.

Regulation isn’t the only drive for this leveling up of security in the embedded market. The huge proliferation of Artificial Intelligence (AI) in edge devices creates an important incentive for protection of Intellectual Property (IP), either of the vendor’s own model or of licensed models—for which the licensee must demonstrate sufficient protection as a condition of use. Integrated tooling will ensure that the often (though not always) convergent needs of safety, security, regulatory compliance, and commercial liability are met in a centralized model, with robust requirements tracing and product verification systems feeding reporting for any application.

For many, the issue isn’t introducing security, but proving it. Among tool providers, the winners will be those that successfully productize compliance, while maintaining maximum flexibility to accommodate requirements evolution and the customizations of industries and enterprises. The core pillars—product visibility (including of upstream components), robust testing, and automated reporting—are the same for all. The trick will be in creating user experiences that feel highly tailored from this common core.

In some ways, the chip manufacturers tackling PQ readiness are facing the opposite problem. The physical challenges of integration for embedded use cases are myriad, and the nebulous demand for agility further complicates things. To achieve PQ compliance by government deadlines, customers need clear and unified guidance to cut through the confusion and uncertainty. STMicroelectronics’ announcement of full-range PQ integration reflects the hunger in the market for simplicity on this topic—there’s simply too much else to think about.

This is highlighted by the fact that these were, by no means, the only major security evolutions on display at embedded world. When not occupied with building their compliance system and ensuring PQ integration, manufacturers need to evaluate hardware versus software security, secure hardware technology choices as Microcontroller Units (MCUs) evolve, and the hardware attack landscape—for many implementers, security is necessary, but not directly monetizable. embedded world 2025 was rife with innovation, but to move from innovation to market impact in the coming 5 years, the innovators will need to deliver an impeccable—yet cost-effective—balance of flexibility and simplicity.