For CISOs, 2025 is the year when regulation and reality finally collide. Governments and standards bodies are no longer issuing gentle guidance; they are setting hard requirements for how connected devices must be secured, authenticated and monitored throughout their lifecycle. Device Authority describes NIST frameworks and the European Union Cyber Resilience Act (CRA) as the “global reference points” for IoT security governance, with automation now essential because manual compliance simply does not scale across thousands or millions of IoT/OT devices.

At the same time, the federal government U.S. Executive Order 14028 (EO 14028) is accelerating Zero Trust adoption, SBOM transparency and supply chain integrity for federal and critical infrastructure systems. The combined effect is clear: organisations can no longer treat IoT and OT security as side projects. They must be able to see every device, prove every identity and demonstrate continuous control. These regulations are designed to strengthen the nation’s cybersecurity by establishing robust standards and frameworks for digital infrastructure protection.

This article explains what CISOs really need to know about NIST, CRA and EO 14028 in 2025 – and how automated machine identity and platforms like KeyScaler 2025 make compliance achievable.

Introduction to Regulatory Compliance

The rapid proliferation of IoT devices and connected devices across industries has dramatically increased cybersecurity risks, making regulatory compliance a top priority for organizations worldwide. As the IoT ecosystem expands, regulatory bodies are introducing new rules and mandatory cybersecurity requirements to address the growing threat landscape. The European Union’s Cyber Resilience Act (CRA) and the US Executive Order 14028 stand out as key regulations shaping the future of IoT cybersecurity, setting clear expectations for how organizations must protect critical systems and infrastructure.

These regulations are designed to enhance cybersecurity practices by requiring timely security updates, robust access control, and ongoing monitoring of devices throughout their lifecycle. The National Institute of Standards and Technology (NIST) plays a pivotal role in this landscape, providing authoritative guidance on software supply chain security, IoT security, and the protection of critical infrastructure. NIST’s frameworks are increasingly referenced as the baseline for compliance, not just in the US but globally.

For organizations, the challenge is significant: ensuring compliance in a world where IoT devices number in the thousands or even millions, and where the software supply chain is complex and constantly evolving. To meet these new regulatory requirements, organizations must adopt zero trust principles, implement continuous monitoring, and maintain rigorous access control across their entire network. Achieving effective IoT cybersecurity and regulatory compliance is no longer a one-time effort—it requires a sustained, strategic approach to protect critical systems and ensure ongoing trust in the digital elements that power modern business.

The Three Pillars: NIST, CRA and EO 14028 in Plain Language

Although these frameworks come from different jurisdictions, they all push organisations in the same direction: identity-first, visibility-driven, Zero Trust security for every connected device. Securing the Internet of Things (IoT) is central to these cybersecurity frameworks, as regulatory compliance and data protection increasingly depend on robust security for connected devices across industries.

NIST: From Guidance to Baseline Expectation

NIST has evolved from a set of best-practice guidelines into a de facto baseline for critical infrastructure security. The latest NIST work – including the NIST Cybersecurity Framework (CSF) 2.0 and NIST 1800-32 – places a strong emphasis on identity management, continuous monitoring, secure software development and supply chain risk management for IoT and OT. NIST’s frameworks are shaping security standards and compliance requirements for IoT technology, ensuring connected devices meet rigorous protection and regulatory expectations.

For CISOs, the key message is that device identity and lifecycle management are no longer optional extras. NIST expects organisations to be able to identify every device, authenticate it, monitor its behaviour and manage its credentials over time. That expectation now extends deep into OT, where industrial and medical devices can’t simply be patched or replaced like laptops.

The EU Cyber Resilience Act (CRA): Secure by Design and for Life

The EU Cyber Resilience Act is the most significant piece of European legislation for connected devices in years. It requires manufacturers to build security into products from the outset (“secure by design”), maintain ongoing vulnerability management and provide updates throughout the product lifecycle.

From a CISO perspective, CRA raises the bar in two ways. First, if you are a device manufacturer, you must be able to prove that your devices implement appropriate security controls and that vulnerabilities are managed continuously. Second, if you are a device operator (for example a hospital, industrial company or energy provider), you must show that you are actually using those controls: monitoring devices, managing credentials and addressing vulnerabilities in a timely, auditable way. This is especially critical for healthcare IoT, where compliance with regulations and robust security practices are essential to protect sensitive data and ensure device safety.

Executive Order 14028: Zero Trust and Supply Chain Integrity

The U.S. Executive Order 14028 targets federal agencies and critical infrastructure operators, but its impact is global. It explicitly calls for Zero Trust architectures, stronger software supply chain security and improved incident reporting.

The practical effect is that suppliers and partners who want to serve this market must also modernise. EO 14028 expects organisations to adopt identity-based access control, deploy SBOMs (Software Bills of Materials), and ensure that devices and software components can be traced, verified and updated. In addition, federal procurement processes now require agencies to follow NIST guidelines and cybersecurity standards when purchasing software and IoT products, making compliance essential for vendors. In IoT and OT environments, that means every device needs a verifiable machine identity and its behaviour must be visible over time.

Common Threads: What These Frameworks All Demand

Even though NIST, CRA and EO 14028 have different scopes and legal foundations, they converge on a set of common requirements. Device Authority’s IoT/OT security guidance summarises these themes as identity, visibility, automation and continuous compliance.

First, real-time visibility is non-negotiable. Organisations must know what devices they have, where they are, which software they run and how they behave. This includes monitoring IoT networks to detect threats in real time and ensure compliance across all connected devices, such as industrial sensors, gateways, and smart endpoints. You cannot demonstrate compliance with any of these frameworks if your asset inventory is incomplete or out of date.

Second, strong, verifiable identity is mandatory. Devices need cryptographic credentials, certificates and keys that can be tied back to trusted roots and managed over time. In addition, tracking and verifying firmware versions is essential for continuous compliance monitoring, ensuring that devices meet regulatory requirements and are protected against known vulnerabilities. Trust-by-default – letting any device connect simply because it is on the network – is no longer acceptable.

Third, regulators now expect continuous vulnerability management and policy enforcement, not annual audits. CRA explicitly mandates ongoing vulnerability handling for connected devices, while NIST and EO 14028 stress continuous monitoring, Zero Trust and supply chain integrity. Robust security practices, including security by design and proactive vulnerability management, are critical to meeting these regulatory expectations and reducing risk.

Finally, all three frameworks imply automation. Device Authority notes that manual compliance has become unsustainable for organisations with large IoT/OT estates; automation is the only way to sustain compliance at scale and keep pace with evolving threats. This is reinforced in Device Authority’s own IoT/OT guide and July newsletter, which highlight the role of AI and automation in meeting regulations such as NIST, CRA and EO 14028.

Achieving Cyber Resilience in a Fragmented Regulatory Landscape

Navigating the fragmented regulatory landscape of IoT security is a significant challenge for organizations managing diverse fleets of IoT devices, medical devices, and operational technology. The Cyber Resilience Act (CRA) sets a high bar, requiring manufacturers to embed advanced security features such as encryption, secure communication protocols, and continuous vulnerability monitoring into their products. At the same time, federal agencies like the Infrastructure Security Agency are raising the standard for supply chain risk management and providing critical guidance to help organizations enhance their cybersecurity posture.

To ensure compliance and achieve true cyber resilience, organizations must take a proactive approach—one that goes beyond basic security measures. This means adopting zero trust architecture to verify every device and user, conducting regular penetration testing to uncover vulnerabilities, and implementing continuous compliance monitoring to detect anomalies and respond to threats in real time. The private sector also plays a crucial role, especially in the development and deployment of consumer IoT products, by adhering to cybersecurity standards and promoting best practices across the supply chain.

By prioritizing comprehensive compliance efforts and integrating security into every layer of their IoT systems, organizations can protect their entire network and critical systems from evolving cyber threats. This holistic approach not only strengthens the nation’s cybersecurity but also ensures the integrity and resilience of the broader IoT ecosystem. In a world where regulatory requirements are constantly evolving, continuous compliance and a robust trust architecture are essential for safeguarding both organizational assets and the public interest.

Why Manual Compliance Fails in IoT and OT

In traditional IT environments, compliance teams could get away with point-in-time assessments: a quarterly scan here, a manual spreadsheet update there. In IoT and OT, that model collapses. A single factory, hospital or distributed energy network may contain tens of thousands of devices, many of which are unmanaged, vendor-locked or incapable of running agents.

Trying to map each device to a standard like NIST 1800-32 or CRA using manual processes is both error-prone and economically impossible. Every time firmware changes, a certificate expires, or a new vulnerability is disclosed, the compliance picture shifts slightly. By the time a manual audit is completed, large parts of it are already outdated.

Device Authority’s content is blunt on this point: automation is now essential, not a nice-to-have, if enterprises want to keep up with NIST and CRA requirements. Automation reduces the need for human intervention in compliance processes, enabling immediate responses such as revoking access or updating credentials without manual action.  Instead of human teams chasing spreadsheets and PDFs, organisations need systems that continuously map device states against specific standards, flag deviations and generate tamper-proof audit logs.

Pilot programs are increasingly used to test and evaluate new compliance or cybersecurity labeling initiatives for IoT and software products, helping organizations assess effectiveness and identify areas for improvement.

How Machine Identity Automation Bridges Regulation and Reality

This is where machine identity automation becomes central to a CISO’s strategy. Rather than bolting on “compliance” at the end of the process, platforms such as KeyScaler 2025 embed compliance logic directly into the way device identities are issued, managed and monitored. Comprehensive IoT solutions like KeyScaler 2025 address cybersecurity challenges and regulatory compliance by supporting secure integration of connected devices and meeting evolving security standards across multiple industries.

Device Authority describes KeyScaler 2025 as being able to map device identities to frameworks such as NIST 1800-32, CRA and EO 14028, track configuration changes, and automatically flag non-compliant states. The platform uses AI to generate dynamic trust scores for devices, taking into account certificate validity, firmware integrity, vulnerability exposure and behavioural deviations, and aligns those scores with regulatory expectations.

In practice, this means that when a device drifts out of compliance – for example, by running outdated firmware or deviating from its expected behaviour – KeyScaler can automatically lower its trust score, trigger alerts, restrict access, rotate credentials or even isolate it from the network altogether. Compliance stops being a static report and becomes a continuous, automated control loop.

Crucially, this approach also creates auditable evidence. Because KeyScaler records device identity events, configuration changes and policy actions in tamper-resistant logs, CISOs can demonstrate alignment with NIST, CRA and EO 14028 in a way that is defensible to auditors, regulators and customers alike. Developing a trust strategy is essential to guide the implementation of zero trust architectures and ensure ongoing compliance with regulatory frameworks.

What CISOs Actually Need to Do in 2025

Understanding the frameworks is only half the job. The more important question is: what should CISOs actually change in their programmes this year?

The first priority is to baseline visibility. CISOs should insist on an agentless discovery capability that can find every IoT and OT device on the network, classify it, and highlight where identity is missing or weak. Without this, it is impossible to say whether you meet NIST visibility requirements or CRA’s expectations around vulnerability handling.

The second step is to move from ad hoc certificates to automated machine identity. Instead of relying on one-off certificate issuance or manual key management, organisations should adopt a platform that can issue, rotate and revoke certificates in line with policy – and that can tie those operations explicitly to NIST and CRA controls. This is the only realistic way to ensure that every device in scope for EO 14028 or CRA has a provable identity.

Third, CISOs should treat Zero Trust as the implementation vehicle for compliance, not as a separate initiative. Device Authority explicitly links Zero Trust enforcement with these regulatory frameworks: regulators want evidence that identity is verified, access is least-privilege and behaviour is monitored continuously. A well-implemented Zero Trust architecture for IoT/OT essentially ticks many of the same boxes. These frameworks are aimed at enhancing cybersecurity across organizations by aligning with government initiatives, standards development, and regulatory requirements.

Finally, leadership teams must recognise that AI and automation are not buzzwords in this context; they are the mechanisms that allow compliance to keep pace with reality. Device Authority’s July newsletter and subsequent blogs underline that AI-driven anomaly detection, trust scoring and remediation are key to meeting evolving standards such as NIST, CRA and EO 14028. Automation is essential for achieving effective IoT security at scale, enabling organizations to protect complex and growing IoT ecosystems.

Conclusion: Compliance as a Continuous Security Outcome

NIST, CRA and EO 14028 are often framed as compliance burdens, but for CISOs they can also serve as strategic anchors. They push organisations towards the practices that were needed anyway: real-time visibility, identity-first security, lifecycle control and automated enforcement.

The challenge is scale. With connected device estates growing and regulations tightening, manual methods have reached their limit. By adopting machine identity automation and AI-driven platforms like KeyScaler 2025, CISOs can turn abstract frameworks into concrete, continuous security outcomes – and prove it, every day, to regulators, customers and boards.

In 2025, that is what will separate organisations that merely claim compliance from those that can demonstrate it in real time.